13

I'm guessing there has to be a reasonable way to solve my issue but I'm trying to get some advice on a best practice to implement.

I have recently moved to a Web Design company and we need to be able to spoof DNS entries for websites we're working on. However we want to only override certain A records, but keep the others so the site seems to work.

i.e: We want to make "support.abcd.com" resolve locally, but everything else go to the real site. This would allow us to design/demo a fully functioning site with only the work in progress locally.

We have an internal BIND DNS server (9.9.5.dfsg-3).

What should my zone file look for "abcd.com" based on the example above?

Edit: Would this work?

          IN ns1
abcd.com. IN NS ns1
support.abcd.com. IN A 192.168.1.1
faq.abcd.com.     IN A 192.168.1.1
*.abcd.com.       IN NS abcd.com     <- External?
MadHatter
  • 79,770
  • 20
  • 184
  • 232
Kladskull
  • 1,255
  • 5
  • 15
  • 32

2 Answers2

17

If this all just deals with overriding hostname->ip lookups, what is likely the easiest to set up and manage (especially if you have rapidly changing requirements) is for the developers to simply override the normal resolution by adding the relevant names in their local hosts files and to leave DNS alone.

However, if you want to do this with DNS, using BIND as the resolver server, and you need to override specific names only (rather than whole zones), I believe you will need to use the Response Policy Zone (RPZ) functionality. This can possibly be done in conjunction with the use of views in order to make these changes only affect specific clients.

I've included an example that would do the kind of thing you are specifically asking for but look at the linked documentation above for all the other options for how you can override things and more complete examples.

options {
  ...
  response-policy { zone "development-overrides"; };
};

...

zone "development-overrides" {type master; file "master/development-overrides"; allow-query {none;}; };

The referenced zone file has the normal master file syntax but the semantics are RPZ specific (do read the RPZ docs!):

$TTL 1H
@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
                        NS  LOCALHOST.

support.example.com     A   192.168.1.1
faq.example.com         A   192.168.1.1
Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Followed your advice, I think it will work. Can you take a look at an issue I am having with what I have done based on this answer please? http://serverfault.com/questions/617313/why-does-nslookup-not-return-what-i-am-expecting-from-my-bind-server-rpz-confi – Kladskull Aug 01 '14 at 20:52
  • I've found your first paragraph a little bit blurry, so I tried to a little bit reorganize it. But my English also isn't very good, so if you think it is not ok, then I am sorry and of course feel free to reverse or improve the change. – peterh Nov 18 '15 at 15:10
  • @peterh Thanks for pointing out that there were issues! However, your changes actually changed the meaning (probably not intentionally but as a result of the very problems you were trying to fix) into something that I disagree with. I tried to improve the initial paragraphs in a different way. – Håkan Lindqvist Nov 18 '15 at 17:37
  • Awesome. Now I see why `bind` is still the major nameserver out there. I wanted to transparently override a domain to be a CNAME of another domain. This works pretty well with your suggested config above. Before that I tried `dnsmasq` and `ubound`. With the former could not override anything and with the latter I could only override with `A` records but not `CNAME` (I needed CNAME as I don't control target domain and it can change at any time). -- needed to transparently redirect some users to a mirror server as main server blocked by a stupid firewall – akostadinov Nov 23 '15 at 14:39
  • 5000 views on this post so far! I found your answer I was looking for a simple way to override a single host within a domain. Your answer provides a summary of the referred documentation; I could not blindly follow what you say without looking at those references. It would have saved me some time if the answer was a little more idiot-proof. I dont care so much about bind, I just need the task done ;o Others might benefit from you editing this to be more easy to follow. Good answer though! Upvoted :) – Pétur Ingi Egilsson Jan 21 '17 at 20:40
0

Either modify the hosts file on the developers machines (/etc/hosts on UNIX/Linux and C:\windows\system32\drivers\etc\hosts on windows) or use a view settings on your DNS, you define an ACL with the subnets that should be "spoofed" and use "match-clients" inside the view to match just those clients.

About your example, it's a CNAME field not an NS field.

Diamond
  • 9,001
  • 3
  • 24
  • 38
Vovor
  • 62
  • 3
  • I like the `hosts` file suggestion, that's simple and largely dodges the whole problem. I don't think the DNS side of the answer actually addresses the core of the question, though. – Håkan Lindqvist Jul 26 '14 at 13:24