Seems like your requirements call for the classic, old-school "internal root" setup. Define your own root zone that *only* has delegations for example.com and whatever parts of the in-addr.arpa namespace you want to resolve. That way, everything outside the example.com namespace and the in-addr.arpa namespace(s) will get an NXDOMAIN response.
After doing that, you may find that you don't even need the "type forward" definition for example.com. If you happen to run across a subzone that isn't delegated properly, you can probably work around that "broken" subzone with a "stub" zone definition, until it can be fixed. Forwarding is usually to be considered as a last resort, if you really *cannot* talk directly to any of the authoritative nameservers for a given zone (e.g. in a DMZ scenario). - Kevin -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Luis Felipe Dominguez Vega Sent: Monday, January 16, 2017 10:17 AM To: bind-users@lists.isc.org Subject: Restricted bind to my domain only Hello, i was searching into google to find my problem, but i think that is better write to the list. I am using Bind with Samba 4 (with BIND_DLZ) serving the domain mtz.example.com, but i need resolv throw another server the querys to domain example.com and anothers subdomains (like grm.example.com, vcl.example.com), but i dont want resolve any other (to prevent DNS Tunnel). So i need enable the recursion and permit to my network that recursion, the problem is that always resolve the google.com, facebook.com, etc... and i want only resolve the names into Samba (BIND_DLZ) and all others be forwarded by my another server, files. Note: 192.168.44.2 is my forward DNS server that only accept example.com domains and subdomains named.conf: =========================================================================== include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; =========================================================================== named.conf.options: =========================================================================== options { directory "/var/cache/bind"; dump-file "/var/cache/bind/data/cache_dump.db"; statistics-file "/var/cache/bind/data/named_stats.txt"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 datasize default; empty-zones-enable no; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; #recursion no; allow-query { 192.168.0.0/24; 10.11.0.0/24; 127.0.0.1/8; }; allow-recursion { 127.0.0.1/8; 192.168.0.0/24; 10.11.0.1/24; }; allow-update { 127.0.0.1; }; allow-transfer { 192.168.0.0/24; }; version none; hostname none; server-id none; listen-on-v6 { none; }; }; logging { channel xfer-log { file "/var/log/named.log"; print-category yes; print-severity yes; severity info; }; category xfer-in { xfer-log; }; category xfer-out { xfer-log; }; category notify { xfer-log; }; }; statistics-channels { inet 127.0.0.1 port 8653 allow { 127.0.0.1; }; }; =========================================================================== named.conf.default-zones =========================================================================== // prime the server with knowledge of the root servers #zone "." { # type hint; # file "/etc/bind/db.empty"; #}; #zone "." { # type forward; # forward only; # forwarders { 192.168.44.2; }; #}; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "example.com" { type forward; forward only; forwarders { 192.168.44.2; }; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; =========================================================================== _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users