Friday, February 15, 2019

Wildcard DNS with BIND



I'm trying to setup BIND so that it catches any and all requests made to it, and points them to a specific set of NS servers, and a specific A record.



I have around 500 domains, and I'm adding new ones at the rate of 10-15 a day, so I don't want to explicitely add a zone for every domain.



My current setup is:
in my named.conf, I have a view (named external) with the following zone in it:




zone "." {
        type master;
        file "ext.zone";
};


This matches all requests.



ext.zone is:





$TTL    3600
@       IN      SOA     . root.nsdomain.com. (
                              1         ; Serial
                         3600         ; Refresh
                          300         ; Retry
                         3600         ; Expire
                         300 )        ; Negative Cache TTL



        IN      NS      ns1.example.com
        IN      NS      ns2.example.com

ns1     IN      A       192.0.2.4
ns2     IN      A       192.0.2.5

*.      IN      A       192.0.2.6



so, the goal is:
for all NS requests, return ns1.example.com and ns2.example.com
for all A requests, except where it is ns1.example.com or ns2.example.com, return 192.0.2.6. For ns1.example.com return 192.0.2.4, for ns2.example.com return 192.0.2.5.



This almost works, the only problem is that when I do a dig, I get:




dig @localhost somedomain.example

; > DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 > @localhost somedomain.example

; (1 server found)
;; global options:  printcmd
;; Got answer:
;; opcode: QUERY, status: NOERROR, id: 37733
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;somedomain.example.                        IN      A

;; ANSWER SECTION:

somedomain.example.         3600    IN      A       192.0.2.6 // as expected

;; AUTHORITY SECTION:
.                       3600    IN      NS      ns1.example.com. // expected, I don't know if the "." at the start is bad, though.
.                       3600    IN      NS      ns2.example.com. // see above.

;; ADDITIONAL SECTION:
ns1.example.com.  3600    IN      A       192.0.2.6 // not expected, this should be 192.0.2.4
ns2.example.com.  3600    IN      A       192.0.2.6 // not expected, this should be 192.0.2.5



How do I fix this? Am I doing something horrible? Is there a better way to do this?


Answer



Your origin for the zone is . per your configuration. You are creating records for ns1. and ns2. instead of ns1.example.com. and ns2.example.com. Since ns1.example.com and ns2.example.com aren't defined, they are matched by the wildcard.



EDIT: here's an edit of your config and zone:



zone "example.com." {
        type master;
        file "ext.zone";

};


ext.zone:



$TTL    3600
@       IN      SOA     ns1 root (
                              1         ; Serial
                         3600         ; Refresh
                          300         ; Retry

                         3600         ; Expire
                         300 )        ; Negative Cache TTL


        IN      NS      ns1
        IN      NS      ns2
        IN      A       192.0.2.6


ns1     IN      A       192.0.2.4

ns2     IN      A       192.0.2.5

*      IN      A       192.0.2.6


Everything in the zone is relative to the zone name in the named configuration, so adding a second zone just points to the same file:



zone "example.net." {
    type master;
    file "ext.zone";

};

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...