0

I have bind9 running for local LAN DNS. I also have an APT caching server. So, I set up an RPZ file to poison certain domain names and have them resolve to my internal caching server instead. Running e.g. apt update is returning resolution errors I think because the caching server is unable to resolve the true (external) records and fetch the data. I think this means I’d have to set up a view for the caching server as a /32.

So the question is, can I set it up so that my caching server hitting domains in the poisoned zone just get forwarded, while the rest of the network gets the poisoned data? I’m just not sure how to go about doing that.

Improve this question

1 Answer 1

Reset to default
1

You're correct assuming that to serve different results based on the "asking" DNS client you have to create views. It's quite simple.

  1. Create ACL's (optional - you can use IP ranges everywhere, using ACL's is just easier):

    acl "not_poisoned_clients" {
    192.168.1.99/32;   # Caching server
    10.10.10.0/24;     # Example "whitelisted" network
};

    NOTE: we're NOT creating specific ACL for "everyone else".

  2. Create views (at least two). First one will match "whitelisted" clients, other - everyone else:

    view "not_poisoned_clients" {
    match-clients { "not_poisoned_clients"; };
    recursion yes;
    zone "example.com" {
        type master;
        file "/etc/named/zones/db.example.com";
    };
};

view "everyone_else" {
    match-clients { any; };
    recursion no;
    zone "poisoned_example.com" {
        type master;
        file "/etc/named/zones/db.example.com.poisoned";
    };
};

    Above examples are very basic, to learn more about possible options I strongly recommend zytrax.com DNS guide, for example you can learn about all possible statements allowed within a "view" clause here.

  3. Advanced RPZ configuration examples:

    • RPZ configuration - especially: look at the response-policy statement, which you can use in your views.
Improve this answer
1
  • 1
    Okay, there was more to it but in broad strokes you got it. For posterity: changing from not having views to having views means you have to re-structure the named.conf* files a bit - I found this helpful - linuxbabe.com/ubuntu/… - and eventually I got things working. Thanks. Commented Dec 10, 2024 at 0:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.