Hi Chuck,
Thank you a lot for the help! Your configuration worked for me, even with
multiple domains. One little fix:
> fakens . IN A ip.of.captive.portal.server
fakens. IN A ip.of.captive.portal.server
Regards,
Sergey Emantayev
On Saturday, September 19, 2015 5:13 PM, Chuck Anderson <c...@wpi.edu> wrote:
I'm not sure keeping "dnssec-enable yes" is a good idea, because you
are creating a fake root zone and you won't have the real root keys to
sign answers with.
The best way I've found to allow some DNS queries to resolve to their
regular answers is to create a forward-only zone. That way you don't
have to keep a copy of the real RDATA up to date in your own zone
file. You also need to add fake NS delegation entries for the zones
you are overriding. Here is how I did it for apple.com:
named.conf:
zone "." in {
type master;
file "/var/named/fakeroot.zone";
};
zone "." in {
type hint;
file "/var/named/named.root";
};
// Allow clients to resolve real addresses of Apple services for new device
registration
// You also need matching fake NS records in the fake root zone to allow the
forward-only
// zones to work.
zone "apple.com" {
type forward;
forward only;
forwarders { ip1.of.real.recursive.dns.server;
ip2.of.real.recursive.dns.server; };
};
named.root:
. 3600 IN NS fakens.
fakens. 3600 A ip.of.captive.portal.server
fakeroot.zone:
$ORIGIN .
$TTL 2
. IN SOA localhost. root.localhost. ( 2015082010 ; serial
3600 ; refresh
1 ; retry
604800 ; expire
86499 ; minimum
)
NS fakens.
fakens . IN A ip.of.captive.portal.server
; Allow clients to resolve real addresses of Apple services for new device
registration
; These NS records are fake/unused but they allow the matching forward-only
; zones in named.conf to work with the fake root zone.
apple.com. IN NS fakens.
; Any zones referenced above must have an explicit wildcard entry
; for ALL the parent zones here for them to be able to resolve to
; the captive portal server. Otherwise you will get NXDOMAIN
; for those names, which is probably not what you want.
*.com. IN A ip.of.captive.portal.server
*. IN A ip.of.captive.portal.server
On Sat, Sep 19, 2015 at 01:37:31PM +0000, Sergey Emantayev wrote:
> Hello DNS gurus,
>
> I'm mastering a sinkhole DNS for a quarantine VLAN. My sinkhole DNS resolves
> any request to the same host - so that the quarantined clients get redirected
> to my server. I have following DNS configuration (running bind-9.8.2-0.17.rc1
> on RHEL 6.4):
>
> options {
> listen-on port 53 { 10.10.0.1;};
> // listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { 10.10.0.0/24; };
> allow-transfer {"none";};
> recursion no;
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic";
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type master;
> file "/var/named/named.sinkhole";
> };
>
> // include "/etc/named.rfc1912.zones";
>
> include "/etc/named.root.key";
>
> The file /var/named/named.sinkhole has following content:
>
> $TTL 600
> @ IN SOA localhost root.localhost. (
> 11 ; serial
> 3H ; refresh
> 15M ; retry
> 1W ; expire
> 1D ) ; minimum
> IN NS @
> IN A 10.10.0.1
> * IN A 10.10.0.1
>
> So far this is working perfect.
> I have a new requirement now - the quarantined client should have an access
> to an external host. I haved added following configuration to /etc/named.conf:
>
> zone "test.com" IN {
> type master;
> file "/var/named/named.test";
> };
>
> /var/named/named.test:
>
>
> $TTL 600
> @ IN SOA ns.test.com. root.localhost. (
> 22 ; serial
> 3H ; refresh
> 15M ; retry
> 1W ; expire
> 1D ) ; minimum
> IN NS ns.test.com.
> ns IN A 10.10.0.1
> www IN A X.X.X.X ;; X is replaced to an actual IP address
>
> Unfortunately my naive approach did not work. "www.test.com" is still
> resolved to 10.10.0.1 and I see that the global zone "." is always hit unless
> I comment out the global zone definition.
>
> I'm a bit new in DNS. Any help is appreciated. Ideally my DNS should delegate
> the "www.test.com" request and do not store its IP locally.
>
> Many Thanks,
>
> Sergey Emantayev
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
