[dns-wg] Resolve DNS Queries Based on Source IPs in BIND (NEED ADVISE)

Mon, 18 Nov 2019 21:12:50 -0800 

Hi everyone, I hope you all are fine. I am new in the mailing list and looking 
for an advise. If this mailing-list is not suitable for my below query then 
please pardon me. 
I am stuck in a situation and looking for a solution. My scenario is like below.
I want to block some websites for my all users.
For example:www.abc.comwww.xyz.cometc
I did it using Response Policy Zone (RPZ) in BIND.        response-policy {zone 
"rpz";};rrset-order { order cyclic; };
zone "rpz" {    type master;    allow-query { any; };    file 
"/etc/bind/rpz.db";    }; In my RPZ zone file I created CNAME entries for above 
mentioned FQDNs which have been pointed to discard.websites.com www.abc.com IN 
CNAME discard.websites.com.;www.xyz.com IN CNAME discard.websites.com.;
And later on, in websites.com zone file (which is another fake zone) I created 
an A record for discard.websites.com which has been pointed to 192.168.127.127 
(a fake IP). discard   IN  A   192.168.127.127;
In this way all the dns requests from my all users for above mentioned sites 
are resolved to 192.168.127.127 and the real websites are unreachable.
(N.B. I am not worry about the situation when users change their DNS IP to any 
open resolver and can access the websites.)
Everything was going fine. By this time another requirement came into the 
picture. Now I need to block the mentioned websites for some specific users 
(based on source IP).
So in my RPZ configuration I specified the users source IP block like below.
zone "rpz" {    type master;    allow-query { 192.168.10.0/24; };    file 
"/etc/bind/rpz.db";    };
At this point the dns queries from the specified block 192.168.10.0/24 are 
resolved to my fake ip and all other requests from rest of IP blocks are 
dropped (as expected as per configuration).
But I want to do like this, the dns queries from 192.168.10.0/24 blocks will be 
matched with RPZ zone and other requests from rest of IPs will bypass the RPZ 
configuration and will match my general "allow-query {any;}" statement 
mentioned in named.conf file.
Will the logic work as I stated above?? Any comments from the experts will be 
great for me.
(N.B. I came to know that, resolving different IP based on different source can 
be possible in KNOT DNS, but I would be happy to do it in BIND (if possible).



Thanks & Regards,
Md. Abdullah Al NaserDhaka, Bangladesh

Reply via email to