Hi Muukalainen,

In this short article I’ll show you how I setup my BIND systems to route certain DNS queries to controlled replies this for external domains.

This article is somewhat of a continuation of a previous article talking about BIND and RPZ which you can fine here.

My use case was simple, I wanted ntp.ubuntu.com to hit an RFC1819 bound internal TCP/IP stack, in clear, a local to my own networks NTP server. Although, I also needed records like keyserver.ubuntu.com or archive.ubuntu.com etc. to resolve properly.

I haven’t enabled this out of lack of trust over ntp.ubuntu.com, though it’s really handy for me when addressing systems that doesn’t have direct internet connectivity, no default gateways etc. As of such, I wanted to re-route a few of the standard NTP dns records to a self controlled NTP server thus helping me deploy on-time systems no matter public networks reachability involving zero efforts.

A simple trick to get where I wanted is to use a response-policy zone instead of a master zone for in our example, ubuntu.com:

This is my response-policy directives within the global BIND options, for me located in /etc/bind/named.conf.options:

options {
    ...
    response-policy { zone "local.ubuntu.zone"; zone "rpz.whitelist"; zone "rpz"; } qname-wait-recurse no;
    ...
};

And this is the RPZ zone declaration within my /etc/bind/named.conf.local:

zone "local.ubuntu.com" {
    type master;
    file "/etc/bind/zones/db.local.ubuntu.com";
	allow-query {
		none;
	    };    
};

Now, when attempting to resolve a given hostname within the ubuntu.com zone; BIND will look in the response-policy zone file(s) first and if it does not find the answer it will continue looking for one.

In my case, this will have a hard stop at rpz because as explained in my former BIND RPZ article , I do not grant external DNS resolutions excepted for a few controlled domains present within rpz.whitelist. Nevertheless, depending on your setup, these choices are up to you.

Finally, create the needed zone file, for me /etc/bind/zones/db.local.ubuntu.com, containing something like the following:

$TTL 24H
@	IN	SOA	LOCALHOST. named-mgr.ubuntu.com (
			5
			1d
			1h
			30d
			2h )
     NS  LOCALHOST.

; ----------------------------------------------------
; ------ UBUNTU.COM ----------------------------------
; ----------------------------------------------------

ntp.ubuntu.com     A   10.10.10.10

And there we go, we routed the ntp.ubuntu.com entry where we wanted while still being able to resolve the rest of the given domain further.

Hope this helps, cheers