Re: Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

2017-04-11 Thread Manuel Ramírez 
Thank you very much for both answers.

Regards


El 11 abr. 2017 19:17, "Chris Buxton"  escribió:

On Apr 11, 2017, at 2:19 AM, Manuel Ramírez 
wrote:

Hi,

I would like to allow queries for specific blogspot.com subdomains and
block the rest of the queries.
I have a file with several zones configured, one of those zones is  the
specific subdomain type "forward":

*zone "w.blogspot.com " IN { type forward;
forwarders { 213.0.184.85; 213.0.184.88; };};*

and below i have the zone blogspot.com as master resolving an internal ip:

*zone "blogspot.com " IN { type master; file
"/var/named/data/db.sinkhole"; };*


But is not working, always resolves the internal ip address, i thought it
evaluates the zones in order and first should forward the query for
w.blogspot.com but is always matching the other zone.
Any idea about how can i achieve my goal?


No, order is not considered. Rather, there are two separate searches:

- Is there an authoritative answer available from local data? In this case,
yes, because you have a sinkhole zone named "blogspot.com", from which an
authoritative negative answer can be derived.
- If the first search does not return an answer, then use the recursion
algorithm, including checking the cache and checking for the most specific
forwarding configuration (if any) that would apply.

Doing what you want is better solved using RPZ, as Tony Finch mentioned. To
do this, do not define these two zone statements. Instead, define a
response policy zone that says that *.blogspot.com should be blocked, but
that specific names (e.g. w.blogspot.com) should be whitelisted. Read the
BIND v9 ARM for details on how to accomplish this.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

2017-04-11 Thread Chris Buxton 
> On Apr 11, 2017, at 2:19 AM, Manuel Ramírez  
> wrote:
> 
> Hi,
> 
> I would like to allow queries for specific blogspot.com 
>  subdomains and block the rest of the queries.
> I have a file with several zones configured, one of those zones is  the 
> specific subdomain type "forward":
> 
> zone "w.blogspot.com " IN { type forward; forwarders 
> { 213.0.184.85; 213.0.184.88; };};
> 
> and below i have the zone blogspot.com  as master 
> resolving an internal ip:
> 
> zone "blogspot.com " IN { type master; file 
> "/var/named/data/db.sinkhole"; };
> 
> 
> But is not working, always resolves the internal ip address, i thought it 
> evaluates the zones in order and first should forward the query for 
> w.blogspot.com  but is always matching the other zone.
> Any idea about how can i achieve my goal?

No, order is not considered. Rather, there are two separate searches:

- Is there an authoritative answer available from local data? In this case, 
yes, because you have a sinkhole zone named "blogspot.com 
", from which an authoritative negative answer can be 
derived.
- If the first search does not return an answer, then use the recursion 
algorithm, including checking the cache and checking for the most specific 
forwarding configuration (if any) that would apply.

Doing what you want is better solved using RPZ, as Tony Finch mentioned. To do 
this, do not define these two zone statements. Instead, define a response 
policy zone that says that *.blogspot.com  should be 
blocked, but that specific names (e.g. w.blogspot.com ) 
should be whitelisted. Read the BIND v9 ARM for details on how to accomplish 
this.

Regards,
Chris Buxton___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

2017-04-11 Thread Tony Finch 
Manuel Ramírez  wrote:
>
> I would like to allow queries for specific blogspot.com subdomains and
> block the rest of the queries.

> Any idea about how can i achieve my goal?

I think this should be easy to achieve with RPZ.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Forth, Tyne, Dogger, Fisher, German Bight: West 5 to 7, occasionally gale 8 in
Forth. Moderate or rough. Rain or showers. Moderate or good, occasionally
poor.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

2017-04-11 Thread Manuel Ramírez 
Hi,

I would like to allow queries for specific blogspot.com subdomains and
block the rest of the queries.
I have a file with several zones configured, one of those zones is  the
specific subdomain type "forward":

*zone "w.blogspot.com " IN { type forward;
forwarders { 213.0.184.85; 213.0.184.88; };};*

and below i have the zone blogspot.com as master resolving an internal ip:

*zone "blogspot.com " IN { type master; file
"/var/named/data/db.sinkhole"; };*


But is not working, always resolves the internal ip address, i thought it
evaluates the zones in order and first should forward the query for
w.blogspot.com but is always matching the other zone.
Any idea about how can i achieve my goal?

Regards

Manuel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users