ISC has added NXDomain redirection on BIND 9.9.
Here’s the excerpt from the release notes of BIND 9.9 alpha
[ install BIND 9.9 alpha 2 on Ubuntu 11.04 ]
Here’s the excerpt from the release notes of BIND 9.9 alpha
| BIND 9.9.0 BIND 9.9.0 includes a number of changes from BIND 9.6 and earlier releases. New features include: - NXDOMAIN redirection. |
[ install BIND 9.9 alpha 2 on Ubuntu 11.04 ]
| root@hat1:~# tail -1 /etc/lsb-release DISTRIB_DESCRIPTION="Ubuntu 11.04" root@hat1:~# uname -r 2.6.38-11-server |
| # tar xzvf bind-9.9.0a2.tar.gz # cd bind-9.9.0a2/ # apt-get install libssl-dev # ./configure --sysconfdir=/etc/bind # make # make install # /usr/local/sbin/named -v BIND 9.9.0a2 |
[ configure NXDOMAIN Redirection ]
There’s the file , REDIRECT-NOTES , in source package and describes how to configure NXDOMAIN redirection.
Note that redirect zones must be called "."
| zone "." [class] { type redirect; file string ; [ masterfile-format (text|raw) ; ] [ allow-query { address_match_list }; ] }; |
add the zone called “.” for NXDOMAIN Redirection
| zone "." { type hint; file "/etc/bind/db.root"; }; # for NXDOMAIN Redirection zone "." { type redirect; file "redirect.db"; }; |
| root@hat1:.../bind# cat /var/cache/bind/redirect.db $TTL 300 @ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0 @ IN NS ns.example.net ; ; NS records do not need address records in this zone as it is not in the ; normal namespace. ; *. IN A 100.100.100.2 *. IN AAAA 2001:ffff:ffff::100.100.100.2 ;*.COM.ES. IN A 100.100.100.4 ;*.COM.ES. IN AAAA 2001:ffff:ffff::100.100.100.4 ;The redirect zone supports all possible types. It is not limited to ;A and AAAA record. |
start named
| root@hat1:~# /usr/local/sbin/named root@hat1:~# rndc status version: 9.9.0a2 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running |
the resolution for existing domains is processed normally
| root@hat1:~# dig @127.1 www.google.co.jp. ; <<>> DiG 9.9.0a2 <<>> @127.1 www.google.co.jp. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51037 ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.google.co.jp. IN A ;; ANSWER SECTION: www.google.co.jp. 345600 IN CNAME www.google.com. www.google.com. 604800 IN CNAME www.l.google.com. www.l.google.com. 300 IN A 72.14.203.105 www.l.google.com. 300 IN A 72.14.203.106 www.l.google.com. 300 IN A 72.14.203.147 www.l.google.com. 300 IN A 72.14.203.99 www.l.google.com. 300 IN A 72.14.203.103 |
If there are no existing domains ( i.e. NXDOMAIN ) , BIND will rewrite answers like this.
| root@hat1:~# dig @127.1 zzz.zz.zzzz. ; <<>> DiG 9.9.0a2 <<>> @127.1 zzz.zz.zzzz. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8000 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;zzz.zz.zzzz. IN A ;; ANSWER SECTION: zzz.zz.zzzz. 300 IN A 100.100.100.2 |
| 205.781112 192.168.11.100 -> 202.12.27.33 DNS Standard query A zzz.zz.zzzz 205.785677 202.12.27.33 -> 192.168.11.100 DNS Standard query response, No such name |
[ opt-out , opt-in ]
You can configure opt-out/in with allow-query option.
| zone "." { type hint; file "/etc/bind/db.root"; }; # for NXDOMAIN Redirection zone "." { type redirect; file "redirect.db"; allow-query { 192.168.11.0/24; }; }; |
opt-out
| root@hat1:~# dig @127.1 zzz.zzz.zzz. ; <<>> DiG 9.9.0a2 <<>> @127.1 zzz.zzz.zzz. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18993 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;zzz.zzz.zzz. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2011100600 1800 900 604800 86400 |
opt-in
| root@hat1:~# dig @192.168.11.100 zzz.zzz.zzz. ; <<>> DiG 9.9.0a2 <<>> @192.168.11.100 zzz.zzz.zzz. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49839 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;zzz.zzz.zzz. IN A ;; ANSWER SECTION: zzz.zzz.zzz. 300 IN A 100.100.100.2 |
Hello, Shgehiro Hattori. Thank you for your post. It help me so much.
ReplyDeleteNow, My DNS server has been running Bind 9.2. Would you show me how to upgrade to Bind 9.9 without affecting the current configuration? Because the system is currently running for my company, is a ISP in Viet Nam.
Looking forward to your help! Thanks