In our private network we have services that are served to the internet and should also be used by the users sitting inside the network (physically or via VPN). We have a main DNS servers in a cloud provider and it is serving service.example.com pointing to our firewall internet facing address and an internal DNS server with all the same records duplicated except service.example.com that is pointing to its address reachable in the private network.
This arrangement causes some maintenance trouble because every time we add a new domain to the main DNS, we need to duplicate this entry in the internal server.
Some time ago I looked up how to solve this a little more elegantly and found out about response-policy-zone feature in BIND. With this set up we can have our internal server configured to only have entries for the domains that need to have different responses in our private network without the need to duplicate all other entries.
Step-by-step
Configure a response-policy in the options:
options {
[...]
response-policy { zone "rpz"; };
}Create the zone you referenced in the response-policy ("rpz")
zone "rpz" {
type master;
file "rpz.db";
};Then populate the zone file referenced ("rpz.db")
$TTL 300
@ IN SOA localhost. root.localhost. (
2023091201 ; serial
86400 ; refresh, seconds
7200 ; retry, seconds
3600000 ; expire, seconds
86400 ; minimum, seconds
)
@ IN NS dns.google.
; you need the full domain here, without ending with a period
production.example.com IN A 192.168.0.10
dev.example.com IN A 192.168.0.10
bad.ads.example.com IN A 127.0.0.1
evil.domain.example.com IN A 127.0.0.1reload the configs and you should be good to go.
References:
https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html