lost and found ( for me ? )

BIND 9.9 alpha 2 : NX Domain redirection


ISC has added NXDomain redirection on BIND 9.9.

Here’s the excerpt from the release notes of BIND 9.9 alpha
BIND 9.9.0

       BIND 9.9.0 includes a number of changes from BIND 9.6 and earlier
       releases.  New features include:

       - NXDOMAIN redirection.

[ install BIND 9.9 alpha 2 on Ubuntu 11.04 ]

root@hat1:~# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 11.04"
root@hat1:~# uname -r
2.6.38-11-server

# tar xzvf bind-9.9.0a2.tar.gz
# cd bind-9.9.0a2/
# apt-get install libssl-dev
# ./configure --sysconfdir=/etc/bind
# make
# make install

# /usr/local/sbin/named -v
BIND 9.9.0a2

[ configure NXDOMAIN Redirection ]

There’s the file , REDIRECT-NOTES , in source package and describes how to configure NXDOMAIN redirection.
Note that redirect zones must be called "."
zone "." [class] {
   type redirect;
   file
string ;
   [ masterfile-format (text|raw) ; ]
   [ allow-query {
address_match_list }; ]
};

add the zone called “.” for NXDOMAIN Redirection
zone "." {
       type hint;
       file "/etc/bind/db.root";
};

# for NXDOMAIN Redirection
zone "." {
       type redirect;
       file "redirect.db";
};

root@hat1:.../bind# cat /var/cache/bind/redirect.db
$TTL 300
@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
@ IN NS ns.example.net
;
; NS records do not need address records in this zone as it is not in the
; normal namespace.
;
*. IN A 100.100.100.2
*. IN AAAA 2001:ffff:ffff::100.100.100.2

;*.COM.ES. IN A 100.100.100.4
;*.COM.ES. IN AAAA 2001:ffff:ffff::100.100.100.4

;The redirect zone supports all possible types.  It is not limited to
;A and AAAA record.

start named
root@hat1:~# /usr/local/sbin/named

root@hat1:~# rndc status
version: 9.9.0a2
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

the resolution for existing domains is processed normally
root@hat1:~# dig @127.1 www.google.co.jp.

; <<>> DiG 9.9.0a2 <<>> @127.1 www.google.co.jp.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51037
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;www.google.co.jp. IN A

;; ANSWER SECTION:
www.google.co.jp. 345600 IN CNAME www.google.com.
www.google.com. 604800 IN CNAME www.l.google.com.
www.l.google.com. 300 IN A 72.14.203.105
www.l.google.com. 300 IN A 72.14.203.106
www.l.google.com. 300 IN A 72.14.203.147
www.l.google.com. 300 IN A 72.14.203.99
www.l.google.com. 300 IN A 72.14.203.103

If there are no existing domains ( i.e. NXDOMAIN ) , BIND will rewrite answers like this.
root@hat1:~# dig @127.1 zzz.zz.zzzz.

; <<>> DiG 9.9.0a2 <<>> @127.1 zzz.zz.zzzz.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8000
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;zzz.zz.zzzz. IN A

;; ANSWER SECTION:
zzz.zz.zzzz. 300 IN A 100.100.100.2

205.781112 192.168.11.100 -> 202.12.27.33 DNS Standard query A zzz.zz.zzzz
205.785677 202.12.27.33 -> 192.168.11.100 DNS Standard query response, No such name

[ opt-out , opt-in ]

You can configure opt-out/in with allow-query option.
zone "." {
       type hint;
       file "/etc/bind/db.root";
};

# for NXDOMAIN Redirection
zone "." {
       type redirect;
       file "redirect.db";
       allow-query { 192.168.11.0/24; };
};

opt-out
root@hat1:~# dig @127.1 zzz.zzz.zzz.

; <<>> DiG 9.9.0a2 <<>> @127.1 zzz.zzz.zzz.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18993
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;zzz.zzz.zzz. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2011100600 1800 900 604800 86400

opt-in
root@hat1:~# dig @192.168.11.100 zzz.zzz.zzz.

; <<>> DiG 9.9.0a2 <<>> @192.168.11.100 zzz.zzz.zzz.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49839
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;zzz.zzz.zzz. IN A

;; ANSWER SECTION:
zzz.zzz.zzz. 300 IN A 100.100.100.2

1 comment:

  1. Hello, Shgehiro Hattori. Thank you for your post. It help me so much.
    Now, My DNS server has been running Bind 9.2. Would you show me how to upgrade to Bind 9.9 without affecting the current configuration? Because the system is currently running for my company, is a ISP in Viet Nam.
    Looking forward to your help! Thanks

    ReplyDelete

Note: Only a member of this blog may post a comment.