TransWikia.com

Using BIND With Different Nameservers for Different Devices

Super User Asked by Sam Bernstein on December 1, 2021

I am running pfSense with BIND installed. On that machine, for a subnet of devices, I want the requests to go to OpenDNS and add my own records that would take precedence over OpenDNS. For the rest of the devices, I want to use Cloudflare’s DNS (while keeping DHCP DNS entries / own records). I do not have to use BIND, but it seems like Unbound does not support it.

Important: I will not set the DNS servers individually per device! It must be automatic based on the subnet the devices are in.

So far: I have two ACLs (one for the LAN subnet, and another for the VPN subnet) and a view corresponding to each one of them. I have two zones (local.lan and vpn.lan) which have the domain names of each device on the subnets. I have an additional zone that handles forwarding for the VPN subnet view.

TL;DR: I want to have some devices use OpenDNS and some devices use Cloudflare based on IP address / subnet. I want to have the functionality of adding own entries (eg get google.com to point to localhost).

aclbinddnspfsensevpn

One Answer

Alright, thanks to Frank Thomas in the comments, I was able to figure it out. In the end, I used RPZ with ACL + Views to get it done. I followed these links to figure it out: https://www.isc.org/docs/BIND_RPZ.pdf, https://www.isc.org/rpz/, and https://www.linuxbabe.com/redhat/response-policy-zone-rpz-bind-centos.

Here is what my configuration ended up like:

I created two ACLs: One for my VPN subnet and one for my LAN subnet.

acl "LAN" { 192.168.1.0/24; };
acl "VPN" { 10.0.8.0/24; };

The last number in the subnet has to be 0 (depending on your netmask, more depth of zeros will be needed) otherwise BIND throws a fit.

Then, I created two views: one for VPN and one for LAN.

view "VPN" { 
    recursion yes;
    match-clients { VPN; };
    allow-recursion { VPN; };
    response-policy {
        zone "rpz.vpn.lan";
    };
    
    forwarders {
        208.67.220.123;
        208.67.222.123;
    };

    zone "vpn.lan" {
        type master;
        file "/etc/namedb/master/VPN/vpn.lan.DB";
        allow-query { any; };
        allow-transfer { none; };
        allow-update { localhost; localnets; };
    };

    zone "rpz.vpn.lan" {
        type master;
        file "/etc/namedb/master/VPN/rpz.vpn.lan.DB";
        allow-query { localhost; localnets; };
        allow-transfer { localhost; localnets; };
        allow-update { localhost; localnets; };
    };

    zone "." {
        type hint;
        file "/etc/namedb/named.root";
    };

};
view "LAN" { 
    recursion yes;
    match-clients { LAN; };
    allow-recursion { any; };

    zone "local.lan" {
        type master;
        file "/etc/namedb/master/LAN/local.lan.DB";
        allow-query { any; };
        allow-transfer { none; };
        allow-update { localhost; localnets; };
    };

    zone "." {
        type hint;
        file "/etc/namedb/named.root";
    };

};

And to finalize the RPZ, I created the zone rpz.vpn.lan:

;
$ORIGIN rpz.vpn.lan.

;   Database file rpz.vpn.lan.DB for rpz.vpn.lan zone.
;   Do not edit this file!!!
;   Zone version 2595524218
;
rpz.vpn.lan.     IN  SOA pfsense.vpn.lan.    zonemaster.rpz.vpn.lan. (
        2595524218 ; serial
        1d ; refresh
        2h ; retry
        4w ; expire
        1h ; default_ttl
        )

;
; Zone Records
;
@    IN NS  pfsense.vpn.lan.
@    IN A   10.0.8.1
pfsense.vpn.lan      IN A   10.0.8.1
redis.io     IN CNAME   .

I used redis.io as a test to check if it worked.

Also added DHCP zones:

For the VPN subnet:

$TTL 7200
;
$ORIGIN vpn.lan.

;   Database file vpn.lan.DB for vpn.lan zone.
;   Do not edit this file!!!
;   Zone version 2595447119
;
vpn.lan.     IN  SOA pfsense.vpn.lan.    zonemaster.vpn.lan. (
        2595447119 ; serial
        1d ; refresh
        2h ; retry
        4w ; expire
        1h ; default_ttl
        )

;
; Zone Records
;
@    IN NS  pfsense.vpn.lan.
@    IN A   10.0.8.1
pfsense      IN A   10.0.8.1

And for the LAN:

$TTL 7200
;
$ORIGIN local.lan.

;   Database file local.lan.DB for local.lan zone.
;   Do not edit this file!!!
;   Zone version 2595445239
;
local.lan.   IN  SOA pfsense.local.lan.      zonemaster.local.lan. (
        2595445239 ; serial
        1d ; refresh
        2h ; retry
        4w ; expire
        1h ; default_ttl
        )

;
; Zone Records
;
@    IN NS  pfsense.local.lan.
@    IN A   192.168.1.1
pfsense      IN A   192.168.1.1

(Note that some ACLs and files are not shown for brevity)

Answered by Sam Bernstein on December 1, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP