You're seriously over-complicating the admin for yourselves by creating dummy zones. Look at RPZ as this will achieve what you want in a much simpler and easier to manage way.
Steve On 28 October 2013 13:10, <bind-ch...@telenet.be> wrote: > Hi all , > > I installed a new bind caching server called nameserver.hiddendomain.be by > using Ubuntu server 12.04.3 LTS with the included bind version : > 9.8.1.dfsg.P1-4 for testing. > > We are a tiny ISP for some regional customers so we don't use forwarders, we > host the caching servers for them. > > Recently our government obligated all ISP's to block access to child-porn, > illegal betting sites, illegal file share sites etc... > I have been asked now to implement this on our caching DNS servers (serve a > custom zone to all of our customers that points to an IP from the government > that hosts a block-page) > > It's the first time I try to use this mixed bind setup. (still act as > caching server for our customers, but be authoritative for all domains we > need to block) > > When I query a to-be-blocked-zone with for example: dig @localhost stop.com > , I get the response I want from within our local zone file (see zone file > below; /etc/bind/stop.com.zone). > If I use another Ubuntu host in the same network and qery with dig > @nameserver stop.com , I get the response from the Internet and not from the > master zone file located on our 'nameserver'. (our test caching server seems > to ignore it's master for the zone stop.com) > > Below you will find our config files ,I don't see the problem, thanks for > your help ! > > Regards, > Olivier > > (the name of my test server and the name of the zone we need to block have > been replaced by fake ones for privacy reasons. Except for those names and > it's IP, all other info is from my test server-setup) > > ---cat /etc/hosts --> > > 127.0.0.1 localhost > IP.IP.IP.IP nameserver.hiddendomain.be nameserver > > # The following lines are desirable for IPv6 capable hosts > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ---cat /etc/bind/named.conf --> > > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > ---cat /etc/bind/named.conf.options --> > > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the addresses replacing > // the all-0's placeholder. > > // forwarders { > // 0.0.0.0; > // }; > > > //======================================================================== > // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > > //======================================================================== > dnssec-enable yes; > dnssec-validation auto; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; }; > > ---cat /etc/bind/named.conf.local --> > > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > zone "stop.com" > { > type master; > file "/etc/bind/stop.com.zone"; > }; > > ---cat /etc/bind/stop.com.zone --> > > $TTL 86400 > $ORIGIN stop.com. > > @ IN SOA nameserver.hiddendomain.be. > hostmaster.hiddendomain.be. ( > 2013101601 ; serial number YYMMDDNN > 28800 ; Refresh > 7200 ; Retry > 864000 ; Expire > 86400 ; Min TTL > ) > > NS ns3.hiddendomain.be. > NS ns4.hiddendomain.be. > > IN A 193.191.245.56 > www IN A 193.191.245.56 > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users