Join Log in
Score:0
lamber avatar Server

How to forward some sub-domain of a zone to default forwarders

cn flag
lamber

I want to use bind9 to hijacking a zone,for example "qq.com",my zone configuration is

zone "qq.com" IN {
  type master;
  file "db.qq.com";
  forwarders { 119.29.29.29; 8.8.8.8; };
};

and my db file is

[root@cenotstest named]# cat db.qq.com
$TTL 1800
@           IN  SOA ns1.qq.com.  my.example.com. (
                    20210409 ;
                    3H ;
                    15M ;
                    1W ;
                    1D ) ;
            IN  NS  ns1.qq.com.
ns1             IN      A       183.36.112.46

a   IN   A  1.1.1.1

When resolving a.qq.com, I can get the correct answer as below

[root@cenotstest named]# nslookup a.qq.com
Server:     127.0.0.1
Address:    127.0.0.1#53

Name:   a.qq.com
Address: 1.1.1.1

But for other domains,like "mail.qq.com" or "www.qq.com"(maybe there are a lot of other domains I don't know).I Just want to forward these domains I do not know to name servers configured in the forwarders like 8.8.8.8 as default.

But now, the forwarders in zone "qq.com" doesn't work, Does the bind9 support it?

88
1 + 4
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
I believe there is no way to do that, at least, in BIND. If you "hijacked" a zone, it's yours now, set up everything by yourself.
0
Reply
lamber avatar
cn flag
lamber
@NikitaKipriyanov thank you, I am now using dnsmaq as a dns service, and I prepare to migrate dns from dnsmasq to bind9. Dnsmasq can support it。If a domain doesn't match any record in my configuration, dnsmasq can read nameserver from /etc/resolv.conf as a default forwarder to resolv the domain. So I guess bind9 can support this feature too.
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
Look at bind RPZ feature.
0
Reply
lamber avatar
cn flag
lamber
@PatrickMevzek thanks a lot, bind rpz works for me
0
Reply
Score:0
avatar Server
za flag
user810528

If a domain doesn't match any record in my configuration, dnsmasq can read nameserver from /etc/resolv.conf as a default forwarder to resolv the domain. So I guess bind9 can support this feature too.

That is AFAIK actually a unique feature of dnsmasq.

Normal DNS servers, like ISC Bind, are either recursive or authoritative. When they are authoritative for a (sub-) domain, they hold the complete truth for that (sub-) domain and their zone data contains all resource records that exist for the domain (although NS records can be used to delegate sub-domains to other name servers) . When an authoritative name server is queried for a record that it does not know about and which is not delegated, then as far as it is concerned, that record doesn't exist. End-of-story.

You could try is delegating all non-existing records (using a DNS wild card) works by creating a zone file:

db.qq.com
$TTL 1800
@           IN  SOA ns1.qq.com.  my.example.com. (
                    20210409 ;
                    3H ;
                    15M ;
                    1W ;
                    1D ) ;
            IN  NS  ns1.qq.com.
ns1             IN      A       183.36.112.46

a   IN   A  1.1.1.1

the.original.authoritative.nameserver.for.qq.com. IN A 10.9.8.7 
*   IN NS the.original.authoritative.nameserver.for.qq.com.
0 + 1
lamber avatar
cn flag
lamber
Thank you for you answer, but bind doesn't support wildcard in domain delegate. I try to configure like this and the named process can't start.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.