I am trying to set up a special DNSBL service using bind9.
I found the wild card entries in zone files behaving rather strangely.
The idea is to resolve all DNS queries to
- <unless.blocked.dnsbl.local> => 127.0.0.100
- any.blacklisted.dnsbl.local => 127.0.0.250
I specified a zone file in /etc/bind/named.local like this:
zone "dnsbl.local." {
type master;
file "/etc/bind/db.in.dnsbl.local";
allow-transfer { any; };
allow-query { any; };
};
And in the zone file /etc/bind/db.in.dnsbl.local:
; BIND data file for TLD ".dnsbl.local"
;
$TTL 604800
$ORIGIN dnsbl.local.
@ IN SOA ns.dnsbl.local. root.dnsbl.local. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
14400 ) ; Negative Cache TTL
@ IN NS ns
@ IN A 127.0.0.1
@ IN AAAA ::1
ns IN A 127.0.0.1
allowed IN A 127.0.0.100
blocked IN A 127.0.0.250
dns01 IN CNAME blocked
apache01 IN CNAME blocked
mysql01 IN CNAME blocked
postfix01 IN CNAME blocked
dovecot01 IN CNAME blocked
rediff.com IN CNAME blocked
flipkart.com IN CNAME blocked
*.dnsbl.local. IN CNAME allowed
Now when I check, here's what I get as expected:
$ dig flipkart.com.dnsbl.local
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> flipkart.com.dnsbl.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25300
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7dce372de146f0d9beb6d65665f983dbc6881a3ff139bea8 (good)
;; QUESTION SECTION:
;flipkart.com.dnsbl.local. IN A
;; ANSWER SECTION:
flipkart.com.dnsbl.local. 604800 IN CNAME blocked.dnsbl.local.
blocked.dnsbl.local. 604800 IN A 127.0.0.250
;; AUTHORITY SECTION:
dnsbl.local. 604800 IN NS ns.dnsbl.local.
;; ADDITIONAL SECTION:
ns.dnsbl.local. 604800 IN A 127.0.0.1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 19 17:53:55 IST 2024
;; MSG SIZE rcvd: 152
However for
$ dig google.com.dnsbl.local
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> google.com.dnsbl.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27078
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 972c294bcda6d369824cd2a865f984433b37ef4e9e9453a7 (good)
;; QUESTION SECTION:
;google.com.dnsbl.local. IN A
;; AUTHORITY SECTION:
dnsbl.local. 14400 IN SOA ns.dnsbl.local. root.dnsbl.local. 2 604800 86400 2419200 14400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 19 17:55:39 IST 2024
;; MSG SIZE rcvd: 123
I expected it to resolve to CNAME => allowed.com.dnsbl.com => 127.0.0.100, but it doesn't!
However strangely for:
google.com.x.dnsbl.local it resolves to CNAME allowed.dnsbl.local => 127.0.0.100
$ dig google.com.x.dnsbl.local
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> google.com.x.dnsbl.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50850
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 18987b3a55a0abfcc4edb01565f984d9758cba76c1c5a2c0 (good)
;; QUESTION SECTION:
;google.com.x.dnsbl.local. IN A
;; ANSWER SECTION:
google.com.x.dnsbl.local. 604800 IN CNAME allowed.dnsbl.local.
allowed.dnsbl.local. 604800 IN A 127.0.0.100
;; AUTHORITY SECTION:
dnsbl.local. 604800 IN NS ns.dnsbl.local.
;; ADDITIONAL SECTION:
ns.dnsbl.local. 604800 IN A 127.0.0.1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 19 17:58:09 IST 2024
;; MSG SIZE rcvd: 152
And also for
$ dig google.net.dnsbl.local
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> google.net.dnsbl.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15841
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e7d23bffd1f25b171719188365f98f5cbbd45a92e4d57803 (good)
;; QUESTION SECTION:
;google.net.dnsbl.local. IN A
;; ANSWER SECTION:
google.net.dnsbl.local. 604800 IN CNAME allowed.dnsbl.local.
allowed.dnsbl.local. 604800 IN A 127.0.0.100
;; AUTHORITY SECTION:
dnsbl.local. 604800 IN NS ns.dnsbl.local.
;; ADDITIONAL SECTION:
ns.dnsbl.local. 604800 IN A 127.0.0.1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 19 18:43:00 IST 2024
;; MSG SIZE rcvd: 150
Wish to understand:
- Why google.com.x.dnsbl.local resolves to allowed.dnsbl.local => 127.0.0.100
- But google.com.dnsbl.local results in NXDOMAIN
- What should I do to make this work.
I am sure there's some hack out there who can help me figure this.
Thanks in advance.