Gecko [ www.utparral.edu.mx ]

Name	Size	Permission
_static	[ DIR ]	drwxr-xr-x
chapter10.html	22.05 KB	-rw-r--r--
chapter1.html	34.51 KB	-rw-r--r--
chapter2.html	15.73 KB	-rw-r--r--
chapter3.html	131.95 KB	-rw-r--r--
chapter4.html	48.77 KB	-rw-r--r--
chapter5.html	81.82 KB	-rw-r--r--
chapter6.html	145.29 KB	-rw-r--r--
chapter7.html	52.45 KB	-rw-r--r--
chapter9.html	18.56 KB	-rw-r--r--
dnssec-guide.html	436.46 KB	-rw-r--r--
general.html	46.95 KB	-rw-r--r--
genindex.html	203.17 KB	-rw-r--r--
history.html	9.97 KB	-rw-r--r--
index.html	28.49 KB	-rw-r--r--
manpages.html	803.05 KB	-rw-r--r--
notes.html	238.02 KB	-rw-r--r--
reference.html	1.4 MB	-rw-r--r--
search.html	5.21 KB	-rw-r--r--

Code Editor : chapter6.html

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
 <meta charset="utf-8" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<body class="wy-body-for-nav"> 
 <div class="wy-grid-for-nav">
 <nav data-toggle="wy-nav-shift" class="wy-nav-side">
 <div class="wy-side-scroll">
 <div class="wy-side-nav-search" >
 <a href="index.html" class="icon icon-home"> BIND 9
 </a>
 <div class="version">
 9.18.39-0ubuntu0.22.04.2-Ubuntu
 </div>
<div role="search">
 <form id="rtd-search-form" class="wy-form" action="search.html" method="get">
 <input type="text" name="q" placeholder="Search docs" />
 <input type="hidden" name="check_keywords" value="yes" />
 <input type="hidden" name="area" value="default" />
 </form>
</div>
 </div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
 <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="chapter1.html">1. Introduction to DNS and BIND 9</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter2.html">2. Resource Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter3.html">3. Configurations and Zone Files</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter4.html">4. Name Server Operations</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter5.html">5. DNSSEC</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">6. Advanced Configurations</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#dynamic-update">6.1. Dynamic Update</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#the-journal-file">6.1.1. The Journal File</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notify">6.2. NOTIFY</a></li>
<li class="toctree-l2"><a class="reference internal" href="#incremental-zone-transfers-ixfr">6.3. Incremental Zone Transfers (IXFR)</a></li>
<li class="toctree-l2"><a class="reference internal" href="#split-dns">6.4. Split DNS</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#example-split-dns-setup">6.4.1. Example Split DNS Setup</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#ipv6-support-in-bind-9">6.5. IPv6 Support in BIND 9</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#address-lookups-using-aaaa-records">6.5.1. Address Lookups Using AAAA Records</a></li>
<li class="toctree-l3"><a class="reference internal" href="#address-to-name-lookups-using-nibble-format">6.5.2. Address-to-Name Lookups Using Nibble Format</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#dynamically-loadable-zones-dlz">6.6. Dynamically Loadable Zones (DLZ)</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#configuring-dlz">6.6.1. Configuring DLZ</a></li>
<li class="toctree-l3"><a class="reference internal" href="#sample-dlz-module">6.6.2. Sample DLZ Module</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#dynamic-database-dyndb">6.7. Dynamic Database (DynDB)</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#configuring-dyndb">6.7.1. Configuring DynDB</a></li>
<li class="toctree-l3"><a class="reference internal" href="#sample-dyndb-module">6.7.2. Sample DynDB Module</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#catalog-zones">6.8. Catalog Zones</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#principle-of-operation">6.8.1. Principle of Operation</a></li>
<li class="toctree-l3"><a class="reference internal" href="#configuring-catalog-zones">6.8.2. Configuring Catalog Zones</a></li>
<li class="toctree-l3"><a class="reference internal" href="#catalog-zone-format">6.8.3. Catalog Zone Format</a></li>
<li class="toctree-l3"><a class="reference internal" href="#catalog-zone-custom-properties">6.8.4. Catalog Zone Custom Properties</a></li>
<li class="toctree-l3"><a class="reference internal" href="#change-of-ownership-coo">6.8.5. Change of Ownership (coo)</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#dns-firewalls-and-response-policy-zones">6.9. DNS Firewalls and Response Policy Zones</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#why-use-a-dns-firewall">6.9.1. Why Use a DNS Firewall?</a></li>
<li class="toctree-l3"><a class="reference internal" href="#what-can-a-dns-firewall-do">6.9.2. What Can a DNS Firewall Do?</a></li>
<li class="toctree-l3"><a class="reference internal" href="#creating-and-maintaining-rpz-rule-sets">6.9.3. Creating and Maintaining RPZ Rule Sets</a></li>
<li class="toctree-l3"><a class="reference internal" href="#limitations-of-dns-rpz">6.9.4. Limitations of DNS RPZ</a></li>
<li class="toctree-l3"><a class="reference internal" href="#dns-firewall-usage-examples">6.9.5. DNS Firewall Usage Examples</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#a-real-world-example-of-dns-rpz-s-value">6.9.5.1. A Real-World Example of DNS RPZ’s Value</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#keeping-firewall-policies-updated">6.9.6. Keeping Firewall Policies Updated</a></li>
<li class="toctree-l3"><a class="reference internal" href="#performance-and-scalability-when-using-multiple-rpzs">6.9.7. Performance and Scalability When Using Multiple RPZs</a></li>
<li class="toctree-l3"><a class="reference internal" href="#practical-tips-for-dns-firewalls-and-dns-rpz">6.9.8. Practical Tips for DNS Firewalls and DNS RPZ</a></li>
<li class="toctree-l3"><a class="reference internal" href="#creating-a-simple-walled-garden-triggered-by-ip-address">6.9.9. Creating a Simple Walled Garden Triggered by IP Address</a></li>
<li class="toctree-l3"><a class="reference internal" href="#a-known-inconsistency-in-dns-rpz-s-nsdname-and-nsip-rules">6.9.10. A Known Inconsistency in DNS RPZ’s NSDNAME and NSIP Rules</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#dns-delegation">6.9.10.1. DNS Delegation</a></li>
<li class="toctree-l4"><a class="reference internal" href="#a-quick-review-of-dns-iteration">6.9.10.2. A Quick Review of DNS Iteration</a></li>
<li class="toctree-l4"><a class="reference internal" href="#enter-rpz">6.9.10.3. Enter RPZ</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#example-using-rpz-to-disable-mozilla-doh-by-default">6.9.11. Example: Using RPZ to Disable Mozilla DoH-by-Default</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="chapter7.html">7. Security Configurations</a></li>
<li class="toctree-l1"><a class="reference internal" href="reference.html">8. Configuration Reference</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter9.html">9. Troubleshooting</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter10.html">10. Building BIND 9</a></li>
</ul>
Appendices
<ul>
<li class="toctree-l1"><a class="reference internal" href="notes.html">Release Notes</a></li>
<li class="toctree-l1"><a class="reference internal" href="changelog.html">Changelog</a></li>
<li class="toctree-l1"><a class="reference internal" href="dnssec-guide.html">DNSSEC Guide</a></li>
<li class="toctree-l1"><a class="reference internal" href="history.html">A Brief History of the DNS and BIND</a></li>
<li class="toctree-l1"><a class="reference internal" href="general.html">General DNS Reference Information</a></li>
<li class="toctree-l1"><a class="reference internal" href="manpages.html">Manual Pages</a></li>
</ul>

</div>
 </div>
 </nav>

<div class="wy-nav-content">
 <div class="rst-content">
 <div role="navigation" aria-label="Page navigation">
 <ul class="wy-breadcrumbs">
 <li><a href="index.html" class="icon icon-home"></a> &raquo;</li>
 <li>6. Advanced Configurations</li>
 <li class="wy-breadcrumbs-aside">
 <a href="_sources/chapter6.rst.txt" rel="nofollow"> View page source</a>
 </li>
 </ul>
 <hr/>
</div>
 <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
 <div itemprop="articleBody">
 
 <section id="advanced-configurations">
<h1>6. Advanced Configurations<a class="headerlink" href="#advanced-configurations" title="Permalink to this headline"></a></h1>
<section id="dynamic-update">
<h2>6.1. Dynamic Update<a class="headerlink" href="#dynamic-update" title="Permalink to this headline"></a></h2>
Dynamic update is a method for adding, replacing, or deleting records in
a primary server by sending it a special form of DNS messages. The format
and meaning of these messages is specified in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc2136.html">RFC 2136</a>.
Dynamic update is enabled by including an <a class="reference internal" href="reference.html#namedconf-statement-allow-update" title="namedconf-statement-allow-update"><code class="xref any namedconf namedconf-ref docutils literal notranslate">allow-update</code></a> or an
<a class="reference internal" href="reference.html#namedconf-statement-update-policy" title="namedconf-statement-update-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate">update-policy</code></a> clause in the <a class="reference internal" href="reference.html#namedconf-statement-zone" title="namedconf-statement-zone"><code class="xref any namedconf namedconf-ref docutils literal notranslate">zone</code></a> statement.
If the zone’s <a class="reference internal" href="reference.html#namedconf-statement-update-policy" title="namedconf-statement-update-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate">update-policy</code></a> is set to <code class="docutils literal notranslate">local</code>, updates to the zone
are permitted for the key <code class="docutils literal notranslate">local-ddns</code>, which is generated by
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate">named</code></a> at startup. See <a class="reference internal" href="reference.html#dynamic-update-policies">Dynamic Update Policies</a> for more details.
Dynamic updates using Kerberos-signed requests can be made using the
TKEY/GSS protocol, either by setting the <a class="reference internal" href="reference.html#namedconf-statement-tkey-gssapi-keytab" title="namedconf-statement-tkey-gssapi-keytab"><code class="xref any namedconf namedconf-ref docutils literal notranslate">tkey-gssapi-keytab</code></a> option
or by setting both the <a class="reference internal" href="reference.html#namedconf-statement-tkey-gssapi-credential" title="namedconf-statement-tkey-gssapi-credential"><code class="xref any namedconf namedconf-ref docutils literal notranslate">tkey-gssapi-credential</code></a> and
<a class="reference internal" href="reference.html#namedconf-statement-tkey-domain" title="namedconf-statement-tkey-domain"><code class="xref any namedconf namedconf-ref docutils literal notranslate">tkey-domain</code></a> options. Once enabled, Kerberos-signed requests are
matched against the update policies for the zone, using the Kerberos
principal as the signer for the request.
Updating of secure zones (zones using DNSSEC) follows <a class="rfc reference external" href="https://tools.ietf.org/html/rfc3007.html">RFC 3007</a>: RRSIG,
NSEC, and NSEC3 records affected by updates are automatically regenerated
by the server using an online zone key. Update authorization is based on
transaction signatures and an explicit server policy.
<section id="the-journal-file">
<h3>6.1.1. The Journal File<a class="headerlink" href="#the-journal-file" title="Permalink to this headline"></a></h3>
All changes made to a zone using dynamic update are stored in the zone’s
journal file. This file is automatically created by the server when the
first dynamic update takes place. The name of the journal file is formed
by appending the extension <code class="docutils literal notranslate">.jnl</code> to the name of the corresponding
zone file unless specifically overridden. The journal file is in a
binary format and should not be edited manually.
The server also occasionally writes (“dumps”) the complete contents
of the updated zone to its zone file. This is not done immediately after
each dynamic update because that would be too slow when a large zone is
updated frequently. Instead, the dump is delayed by up to 15 minutes,
allowing additional updates to take place. During the dump process,
transient files are created with the extensions <code class="docutils literal notranslate">.jnw</code> and
<code class="docutils literal notranslate">.jbk</code>; under ordinary circumstances, these are removed when the
dump is complete, and can be safely ignored.
When a server is restarted after a shutdown or crash, it replays the
journal file to incorporate into the zone any updates that took place
after the last zone dump.
Changes that result from incoming incremental zone transfers are also
journaled in a similar way.
The zone files of dynamic zones cannot normally be edited by hand
because they are not guaranteed to contain the most recent dynamic
changes; those are only in the journal file. The only way to ensure
that the zone file of a dynamic zone is up-to-date is to run
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-stop"><code class="xref std std-option docutils literal notranslate">rndc stop</code></a>.
To make changes to a dynamic zone manually, follow these steps:
first, disable dynamic updates to the zone using
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-freeze"><code class="xref std std-option docutils literal notranslate">rndc freeze zone</code></a>. This updates the zone file with the
changes stored in its <code class="docutils literal notranslate">.jnl</code> file. Then, edit the zone file. Finally, run
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-thaw"><code class="xref std std-option docutils literal notranslate">rndc thaw zone</code></a> to reload the changed zone and re-enable dynamic
updates.
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-sync"><code class="xref std std-option docutils literal notranslate">rndc sync zone</code></a> updates the zone file with changes from the
journal file without stopping dynamic updates; this may be useful for
viewing the current zone state. To remove the <code class="docutils literal notranslate">.jnl</code> file after
updating the zone file, use <a class="reference internal" href="manpages.html#cmdoption-rndc-arg-sync"><code class="xref std std-option docutils literal notranslate">rndc sync -clean</code></a>.
</section>
</section>
<section id="notify">
<h2>6.2. NOTIFY<a class="headerlink" href="#notify" title="Permalink to this headline"></a></h2>
DNS NOTIFY is a mechanism that allows primary servers to notify their
secondary servers of changes to a zone’s data. In response to a NOTIFY message
from a primary server, the secondary checks to see that its version of
the zone is the current version and, if not, initiates a zone transfer.
For more information about DNS NOTIFY, see the description of the
<a class="reference internal" href="reference.html#namedconf-statement-notify" title="namedconf-statement-notify"><code class="xref namedconf namedconf-ref docutils literal notranslate">notify</code></a> and <a class="reference internal" href="reference.html#namedconf-statement-also-notify" title="namedconf-statement-also-notify"><code class="xref namedconf namedconf-ref docutils literal notranslate">also-notify</code></a> statements.
The NOTIFY protocol is specified in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc1996.html">RFC 1996</a>.
<div class="admonition note">
Note
As a secondary zone can also be a primary to other secondaries, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate">named</code></a>, by
default, sends NOTIFY messages for every zone it loads.
</div>
</section>
<section id="incremental-zone-transfers-ixfr">
<h2>6.3. Incremental Zone Transfers (IXFR)<a class="headerlink" href="#incremental-zone-transfers-ixfr" title="Permalink to this headline"></a></h2>
The incremental zone transfer (IXFR) protocol is a way for secondary servers
to transfer only changed data, instead of having to transfer an entire
zone. The IXFR protocol is specified in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc1995.html">RFC 1995</a>.
When acting as a primary server, BIND 9 supports IXFR for those zones where the
necessary change history information is available. These include primary
zones maintained by dynamic update and secondary zones whose data was
obtained by IXFR. For manually maintained primary zones, and for secondary
zones obtained by performing a full zone transfer (AXFR), IXFR is
supported only if the option <a class="reference internal" href="reference.html#namedconf-statement-ixfr-from-differences" title="namedconf-statement-ixfr-from-differences"><code class="xref any namedconf namedconf-ref docutils literal notranslate">ixfr-from-differences</code></a> is set to
<code class="docutils literal notranslate">yes</code>.
When acting as a secondary server, BIND 9 attempts to use IXFR unless it is
explicitly disabled. For more information about disabling IXFR, see the
description of the <a class="reference internal" href="reference.html#namedconf-statement-request-ixfr" title="namedconf-statement-request-ixfr"><code class="xref any namedconf namedconf-ref docutils literal notranslate">request-ixfr</code></a> clause of the <a class="reference internal" href="reference.html#namedconf-statement-server" title="namedconf-statement-server"><code class="xref namedconf namedconf-ref docutils literal notranslate">server</code></a> statement.
When a secondary server receives a zone via AXFR, it creates a new copy of the
zone database and then swaps it into place; during the loading process, queries
continue to be served from the old database with no interference. When receiving
a zone via IXFR, however, changes are applied to the running zone, which may
degrade query performance during the transfer. If a server receiving an IXFR
request determines that the response size would be similar in size to an AXFR
response, it may wish to send AXFR instead. The threshold at which this
determination is made can be configured using the
<a class="reference internal" href="reference.html#namedconf-statement-max-ixfr-ratio" title="namedconf-statement-max-ixfr-ratio"><code class="xref any namedconf namedconf-ref docutils literal notranslate">max-ixfr-ratio</code></a> option.
</section>
<section id="split-dns">
<h2>6.4. Split DNS<a class="headerlink" href="#split-dns" title="Permalink to this headline"></a></h2>
Setting up different views of the DNS space to internal
and external resolvers is usually referred to as a split DNS setup.
There are several reasons an organization might want to set up its DNS
this way.
One common reason to use split DNS is to hide
“internal” DNS information from “external” clients on the Internet.
There is some debate as to whether this is actually useful.
Internal DNS information leaks out in many ways (via email headers, for
example) and most savvy “attackers” can find the information they need
using other means. However, since listing addresses of internal servers
that external clients cannot possibly reach can result in connection
delays and other annoyances, an organization may choose to use split
DNS to present a consistent view of itself to the outside world.
Another common reason for setting up a split DNS system is to allow
internal networks that are behind filters or in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc1918.html">RFC 1918</a> space (reserved
IP space, as documented in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc1918.html">RFC 1918</a>) to resolve DNS on the Internet.
Split DNS can also be used to allow mail from outside back into the
internal network.
<section id="example-split-dns-setup">
<h3>6.4.1. Example Split DNS Setup<a class="headerlink" href="#example-split-dns-setup" title="Permalink to this headline"></a></h3>
Let’s say a company named Example, Inc. (<code class="docutils literal notranslate">example.com</code>) has several
corporate sites that have an internal network with reserved Internet
Protocol (IP) space and an external demilitarized zone (DMZ), or
“outside” section of a network, that is available to the public.
Example, Inc. wants its internal clients to be able to resolve
external hostnames and to exchange mail with people on the outside. The
company also wants its internal resolvers to have access to certain
internal-only zones that are not available at all outside of the
internal network.
To accomplish this, the company sets up two sets of name
servers. One set is on the inside network (in the reserved IP
space) and the other set is on bastion hosts, which are “proxy”
hosts in the DMZ that can talk to both sides of its network.
The internal servers are configured to forward all queries, except
queries for <code class="docutils literal notranslate">site1.internal</code>, <code class="docutils literal notranslate">site2.internal</code>,
<code class="docutils literal notranslate">site1.example.com</code>, and <code class="docutils literal notranslate">site2.example.com</code>, to the servers in the
DMZ. These internal servers have complete sets of information for
<code class="docutils literal notranslate">site1.example.com</code>, <code class="docutils literal notranslate">site2.example.com</code>, <code class="docutils literal notranslate">site1.internal</code>, and
<code class="docutils literal notranslate">site2.internal</code>.
To protect the <code class="docutils literal notranslate">site1.internal</code> and <code class="docutils literal notranslate">site2.internal</code> domains, the
internal name servers must be configured to disallow all queries to
these domains from any external hosts, including the bastion hosts.
The external servers, which are on the bastion hosts, are configured
to serve the “public” version of the <code class="docutils literal notranslate">site1.example.com</code> and <code class="docutils literal notranslate">site2.example.com</code>
zones. This could include things such as the host records for public
servers (<code class="docutils literal notranslate">www.example.com</code> and <code class="docutils literal notranslate">ftp.example.com</code>) and mail exchange
(MX) records (<code class="docutils literal notranslate">a.mx.example.com</code> and <code class="docutils literal notranslate">b.mx.example.com</code>).
In addition, the public <code class="docutils literal notranslate">site1.example.com</code> and <code class="docutils literal notranslate">site2.example.com</code> zones should
have special MX records that contain wildcard (<code class="docutils literal notranslate">*</code>) records pointing to
the bastion hosts. This is needed because external mail servers
have no other way of determining how to deliver mail to those internal
hosts. With the wildcard records, the mail is delivered to the
bastion host, which can then forward it on to internal hosts.
Here’s an example of a wildcard MX record:
<div class="highlight-default notranslate"><div class="highlight"><pre>* IN MX 10 external1.example.com.
</pre></div>
</div>
Now that they accept mail on behalf of anything in the internal network,
the bastion hosts need to know how to deliver mail to internal
hosts. The resolvers on the bastion
hosts need to be configured to point to the internal name servers
for DNS resolution.
Queries for internal hostnames are answered by the internal servers,
and queries for external hostnames are forwarded back out to the DNS
servers on the bastion hosts.
For all of this to work properly, internal clients need to be
configured to query only the internal name servers for DNS queries.
This could also be enforced via selective filtering on the network.
If everything has been set properly, Example, Inc.’s internal clients
are now able to:
<ul class="simple">
<li>Look up any hostnames in the <code class="docutils literal notranslate">site1.example.com</code> and <code class="docutils literal notranslate">site2.example.com</code>
zones.</li>
<li>Look up any hostnames in the <code class="docutils literal notranslate">site1.internal</code> and
<code class="docutils literal notranslate">site2.internal</code> domains.</li>
<li>Look up any hostnames on the Internet.</li>
<li>Exchange mail with both internal and external users.</li>
</ul>
Hosts on the Internet are able to:
<ul class="simple">
<li>Look up any hostnames in the <code class="docutils literal notranslate">site1.example.com</code> and <code class="docutils literal notranslate">site2.example.com</code>
zones.</li>
<li>Exchange mail with anyone in the <code class="docutils literal notranslate">site1.example.com</code> and <code class="docutils literal notranslate">site2.example.com</code>
zones.</li>
</ul>
Here is an example configuration for the setup just described above.
Note that this is only configuration information; for information on how
to configure the zone files, see <a class="reference internal" href="chapter3.html#sample-configuration">Configurations and Zone Files</a>.
Internal DNS server config:
<div class="highlight-default notranslate"><div class="highlight"><pre>acl internals { 172.16.72.0/24; 192.168.1.0/24; };

acl externals { bastion-ips-go-here; };

options {
 ...
 ...
 forward only;
 // forward to external servers
 forwarders {
 bastion-ips-go-here;
 };
 // sample allow-transfer (no one)
 allow-transfer { none; };
 // restrict query access
 allow-query { internals; externals; };
 // restrict recursion
 allow-recursion { internals; };
 ...
 ...
};

// sample primary zone
zone &quot;site1.example.com&quot; {
 type primary;
 file &quot;m/site1.example.com&quot;;
 // do normal iterative resolution (do not forward)
 forwarders { };
 allow-query { internals; externals; };
 allow-transfer { internals; };
};

// sample secondary zone
zone &quot;site2.example.com&quot; {
 type secondary;
 file &quot;s/site2.example.com&quot;;
 primaries { 172.16.72.3; };
 forwarders { };
 allow-query { internals; externals; };
 allow-transfer { internals; };
};

zone &quot;site1.internal&quot; {
 type primary;
 file &quot;m/site1.internal&quot;;
 forwarders { };
 allow-query { internals; };
 allow-transfer { internals; }
};

zone &quot;site2.internal&quot; {
 type secondary;
 file &quot;s/site2.internal&quot;;
 primaries { 172.16.72.3; };
 forwarders { };
 allow-query { internals };
 allow-transfer { internals; }
};
</pre></div>
</div>
External (bastion host) DNS server configuration:
<div class="highlight-default notranslate"><div class="highlight"><pre>acl internals { 172.16.72.0/24; 192.168.1.0/24; };

options {
 ...
 ...
 // sample allow-transfer (no one)
 allow-transfer { none; };
 // default query access
 allow-query { any; };
 // restrict cache access
 allow-query-cache { internals; externals; };
 // restrict recursion
 allow-recursion { internals; externals; };
 ...
 ...
};

zone &quot;site2.example.com&quot; {
 type secondary;
 file &quot;s/site2.foo.com&quot;;
 primaries { another_bastion_host_maybe; };
 allow-transfer { internals; externals; }
};
</pre></div>
</div>
In the <code class="docutils literal notranslate">resolv.conf</code> (or equivalent) on the bastion host(s):
<div class="highlight-default notranslate"><div class="highlight"><pre>search ...
nameserver 172.16.72.2
nameserver 172.16.72.3
nameserver 172.16.72.4
</pre></div>
</div>
</section>
</section>
<section id="ipv6-support-in-bind-9">
<h2>6.5. IPv6 Support in BIND 9<a class="headerlink" href="#ipv6-support-in-bind-9" title="Permalink to this headline"></a></h2>
BIND 9 fully supports all currently defined forms of IPv6 name-to-address
and address-to-name lookups. It also uses IPv6 addresses to
make queries when running on an IPv6-capable system.
For forward lookups, BIND 9 supports only AAAA records. <a class="rfc reference external" href="https://tools.ietf.org/html/rfc3363.html">RFC 3363</a>
deprecated the use of A6 records, and client-side support for A6 records
was accordingly removed from BIND 9. However, authoritative BIND 9 name
servers still load zone files containing A6 records correctly, answer
queries for A6 records, and accept zone transfer for a zone containing
A6 records.
For IPv6 reverse lookups, BIND 9 supports the traditional “nibble”
format used in the <code class="docutils literal notranslate">ip6.arpa</code> domain, as well as the older, deprecated
<code class="docutils literal notranslate">ip6.int</code> domain. Older versions of BIND 9 supported the “binary label”
(also known as “bitstring”) format, but support of binary labels has
been completely removed per <a class="rfc reference external" href="https://tools.ietf.org/html/rfc3363.html">RFC 3363</a>. Many applications in BIND 9 do not
understand the binary label format at all anymore, and return an
error if one is given. In particular, an authoritative BIND 9 name server will
not load a zone file containing binary labels.
<section id="address-lookups-using-aaaa-records">
<h3>6.5.1. Address Lookups Using AAAA Records<a class="headerlink" href="#address-lookups-using-aaaa-records" title="Permalink to this headline"></a></h3>
The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the
deprecated A6 record, specifies the entire IPv6 address in a single
record. For example:
<div class="highlight-default notranslate"><div class="highlight"><pre>$ORIGIN example.com.
host 3600 IN AAAA 2001:db8::1
</pre></div>
</div>
Use of IPv4-in-IPv6 mapped addresses is not recommended. If a host has
an IPv4 address, use an A record, not a AAAA, with
<code class="docutils literal notranslate">::ffff:192.168.42.1</code> as the address.
</section>
<section id="address-to-name-lookups-using-nibble-format">
<h3>6.5.2. Address-to-Name Lookups Using Nibble Format<a class="headerlink" href="#address-to-name-lookups-using-nibble-format" title="Permalink to this headline"></a></h3>
When looking up an address in nibble format, the address components are
simply reversed, just as in IPv4, and <code class="docutils literal notranslate">ip6.arpa.</code> is appended to the
resulting name. For example, the following commands produce a reverse name
lookup for a host with address <code class="docutils literal notranslate">2001:db8::1</code>:
<div class="highlight-default notranslate"><div class="highlight"><pre>$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
 host.example.com. )
</pre></div>
</div>
</section>
</section>
<section id="dynamically-loadable-zones-dlz">
<h2>6.6. Dynamically Loadable Zones (DLZ)<a class="headerlink" href="#dynamically-loadable-zones-dlz" title="Permalink to this headline"></a></h2>
Dynamically Loadable Zones (DLZ) are an extension to BIND 9 that allows
zone data to be retrieved directly from an external database. There is
no required format or schema.
There are number of contributed DLZ modules for several different database
backends, including MySQL and LDAP, but they are not actively maintained.
The DLZ module provides data to <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate">named</code></a> in text
format, which is then converted to DNS wire format by <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate">named</code></a>. This
conversion, and the lack of any internal caching, places significant
limits on the query performance of DLZ modules. Consequently, DLZ is not
recommended for use on high-volume servers. However, it can be used in a
hidden primary configuration, with secondaries retrieving zone updates via
AXFR. Note, however, that DLZ has no built-in support for DNS notify;
secondary servers are not automatically informed of changes to the zones in the
database.
<section id="configuring-dlz">
<h3>6.6.1. Configuring DLZ<a class="headerlink" href="#configuring-dlz" title="Permalink to this headline"></a></h3>
<dl class="namedconf statement">
<dt class="sig sig-object namedconf" id="namedconf-statement-dlz">
dlz<a class="headerlink" href="#namedconf-statement-dlz" title="Permalink to this definition"></a></dt>
<dd>Grammar zone (primary, redirect, secondary): <code class="docutils literal notranslate">dlz &lt;string&gt;;</code>
Grammar topmost, view: <div class="highlight-default notranslate"><div class="highlight"><pre>dlz &lt;string&gt; {
	database &lt;string&gt;;
	search &lt;boolean&gt;;
}; // may occur multiple times
</pre></div>
</div>

Blocks: topmost, view, zone (primary, redirect, secondary)
Tags: zone
Configures a Dynamically Loadable Zone (DLZ) database in <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a>.

</dd></dl>

A DLZ database is configured with a <a class="reference internal" href="#namedconf-statement-dlz" title="namedconf-statement-dlz"><code class="xref any namedconf namedconf-ref docutils literal notranslate">dlz</code></a> statement in <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a>:
<div class="highlight-default notranslate"><div class="highlight"><pre>dlz example {
database &quot;dlopen driver.so args&quot;;
search yes;
};
</pre></div>
</div>
This specifies a DLZ module to search when answering queries; the module
is implemented in <code class="docutils literal notranslate">driver.so</code> and is loaded at runtime by the dlopen
DLZ driver. Multiple <a class="reference internal" href="#namedconf-statement-dlz" title="namedconf-statement-dlz"><code class="xref any namedconf namedconf-ref docutils literal notranslate">dlz</code></a> statements can be specified.
<dl class="namedconf statement">
<dt class="sig sig-object namedconf" id="namedconf-statement-search">
search<a class="headerlink" href="#namedconf-statement-search" title="Permalink to this definition"></a></dt>
<dd>Grammar: <code class="docutils literal notranslate">search &lt;boolean&gt;;</code>
Blocks: dlz, view.dlz
Tags: query
Specifies whether a Dynamically Loadable Zone (DLZ) module is queried for an answer to a query name.

</dd></dl>

When answering a query, all DLZ modules with <a class="reference internal" href="#namedconf-statement-search" title="namedconf-statement-search"><code class="xref namedconf namedconf-ref docutils literal notranslate">search</code></a> set to <code class="docutils literal notranslate">yes</code> are
queried to see whether they contain an answer for the query name. The best
available answer is returned to the client.
The <a class="reference internal" href="#namedconf-statement-search" title="namedconf-statement-search"><code class="xref namedconf namedconf-ref docutils literal notranslate">search</code></a> option in the above example can be omitted, because
<code class="docutils literal notranslate">yes</code> is the default value.
If <a class="reference internal" href="#namedconf-statement-search" title="namedconf-statement-search"><code class="xref namedconf namedconf-ref docutils literal notranslate">search</code></a> is set to <code class="docutils literal notranslate">no</code>, this DLZ module is not searched
for the best match when a query is received. Instead, zones in this DLZ
must be separately specified in a zone statement. This allows users to
configure a zone normally using standard zone-option semantics, but
specify a different database backend for storage of the zone’s data.
For example, to implement NXDOMAIN redirection using a DLZ module for
backend storage of redirection rules:
<div class="highlight-default notranslate"><div class="highlight"><pre>dlz other {
 database &quot;dlopen driver.so args&quot;;
 search no;
};

zone &quot;.&quot; {
 type redirect;
 dlz other;
};
</pre></div>
</div>
</section>
<section id="sample-dlz-module">
<h3>6.6.2. Sample DLZ Module<a class="headerlink" href="#sample-dlz-module" title="Permalink to this headline"></a></h3>
For guidance in the implementation of DLZ modules, the <code class="docutils literal notranslate">example</code>
directory in the [gitlab.isc.org/isc-projects/dlz-modules](<a class="reference external" href="https://gitlab.isc.org/isc-projects/dlz-modules/-/tree/main/example?ref_type=heads">https://gitlab.isc.org/isc-projects/dlz-modules/-/tree/main/example?ref_type=heads</a>)
contains a basic dynamically linkable DLZ module - i.e., one which can be loaded
at runtime by the “dlopen” DLZ driver. The example sets up a single zone, whose
name is passed to the module as an argument in the <a class="reference internal" href="#namedconf-statement-dlz" title="namedconf-statement-dlz"><code class="xref any namedconf namedconf-ref docutils literal notranslate">dlz</code></a> statement:
<div class="highlight-default notranslate"><div class="highlight"><pre>dlz other {
 database &quot;dlopen driver.so example.nil&quot;;
};
</pre></div>
</div>
In the above example, the module is configured to create a zone
“example.nil”, which can answer queries and AXFR requests and accept
DDNS updates. At runtime, prior to any updates, the zone contains an
SOA, NS, and a single A record at the apex:
<div class="highlight-default notranslate"><div class="highlight"><pre>example.nil. 3600 IN SOA example.nil. hostmaster.example.nil. (
 123 900 600 86400 3600
 )
example.nil. 3600 IN NS example.nil.
example.nil. 1800 IN A 10.53.0.1
</pre></div>
</div>
The sample driver can retrieve information about the
querying client and alter its response on the basis of this
information. To demonstrate this feature, the example driver responds to
queries for “source-addr.``zonename``&gt;/TXT” with the source address of
the query. Note, however, that this record will not be included in
AXFR or ANY responses. Normally, this feature is used to alter
responses in some other fashion, e.g., by providing different address
records for a particular name depending on the network from which the
query arrived.
Documentation of the DLZ module API can be found in
[README](<a class="reference external" href="https://gitlab.isc.org/isc-projects/dlz-modules/-/raw/main/example/README">https://gitlab.isc.org/isc-projects/dlz-modules/-/raw/main/example/README</a>). This
repository also contains the header file
[dlz_minimal.h](<a class="reference external" href="https://gitlab.isc.org/isc-projects/dlz-modules/-/raw/main/modules/include/dlz_minimal.h">https://gitlab.isc.org/isc-projects/dlz-modules/-/raw/main/modules/include/dlz_minimal.h</a>),
which defines the API and should be included by any dynamically linkable DLZ
module.
</section>
</section>
<section id="dynamic-database-dyndb">
<h2>6.7. Dynamic Database (DynDB)<a class="headerlink" href="#dynamic-database-dyndb" title="Permalink to this headline"></a></h2>
Dynamic Database, or DynDB, is an extension to BIND 9 which, like DLZ (see
<a class="reference internal" href="#dlz-info">Dynamically Loadable Zones (DLZ)</a>), allows zone data to be retrieved from an external
database. Unlike DLZ, a DynDB module provides a full-featured BIND zone
database interface. Where DLZ translates DNS queries into real-time
database lookups, resulting in relatively poor query performance, and is
unable to handle DNSSEC-signed data due to its limited API, a DynDB
module can pre-load an in-memory database from the external data source,
providing the same performance and functionality as zones served
natively by BIND.
A DynDB module supporting LDAP has been created by Red Hat and is
available from <a class="reference external" href="https://pagure.io/bind-dyndb-ldap">https://pagure.io/bind-dyndb-ldap</a>.
A sample DynDB module for testing and developer guidance is included
with the BIND source code, in the directory
<code class="docutils literal notranslate">bin/tests/system/dyndb/driver</code>.
<section id="configuring-dyndb">
<h3>6.7.1. Configuring DynDB<a class="headerlink" href="#configuring-dyndb" title="Permalink to this headline"></a></h3>
<dl class="namedconf statement">
<dt class="sig sig-object namedconf" id="namedconf-statement-dyndb">
dyndb<a class="headerlink" href="#namedconf-statement-dyndb" title="Permalink to this definition"></a></dt>
<dd>Grammar: <code class="docutils literal notranslate">dyndb &lt;string&gt; &lt;quoted_string&gt; { &lt;unspecified-text&gt; }; // may occur multiple times</code>
Blocks: topmost, view
Tags: zone
Configures a DynDB database in <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a>.

</dd></dl>

A DynDB database is configured with a <a class="reference internal" href="#namedconf-statement-dyndb" title="namedconf-statement-dyndb"><code class="xref any namedconf namedconf-ref docutils literal notranslate">dyndb</code></a> statement in
<a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a>:
<div class="highlight-default notranslate"><div class="highlight"><pre>dyndb example &quot;driver.so&quot; {
 parameters
};
</pre></div>
</div>
The file <code class="docutils literal notranslate">driver.so</code> is a DynDB module which implements the full DNS
database API. Multiple <a class="reference internal" href="#namedconf-statement-dyndb" title="namedconf-statement-dyndb"><code class="xref any namedconf namedconf-ref docutils literal notranslate">dyndb</code></a> statements can be specified, to load
different drivers or multiple instances of the same driver. Zones
provided by a DynDB module are added to the view’s zone table, and are
treated as normal authoritative zones when BIND responds to
queries. Zone configuration is handled internally by the DynDB module.
The parameters are passed as an opaque string to the DynDB module’s
initialization routine. Configuration syntax differs depending on
the driver.
</section>
<section id="sample-dyndb-module">
<h3>6.7.2. Sample DynDB Module<a class="headerlink" href="#sample-dyndb-module" title="Permalink to this headline"></a></h3>
For guidance in the implementation of DynDB modules, the directory
<code class="docutils literal notranslate">bin/tests/system/dyndb/driver</code> contains a basic DynDB module. The
example sets up two zones, whose names are passed to the module as
arguments in the <a class="reference internal" href="#namedconf-statement-dyndb" title="namedconf-statement-dyndb"><code class="xref any namedconf namedconf-ref docutils literal notranslate">dyndb</code></a> statement:
<div class="highlight-default notranslate"><div class="highlight"><pre>dyndb sample &quot;sample.so&quot; { example.nil. arpa. };
</pre></div>
</div>
In the above example, the module is configured to create a zone,
“example.nil”, which can answer queries and AXFR requests and accept
DDNS updates. At runtime, prior to any updates, the zone contains an
SOA, NS, and a single A record at the apex:
<div class="highlight-default notranslate"><div class="highlight"><pre>example.nil. 86400 IN SOA example.nil. example.nil. (
 0 28800 7200 604800 86400
 )
example.nil. 86400 IN NS example.nil.
example.nil. 86400 IN A 127.0.0.1
</pre></div>
</div>
When the zone is updated dynamically, the DynDB module determines
whether the updated RR is an address (i.e., type A or AAAA); if so,
it automatically updates the corresponding PTR record in a reverse
zone. Note that updates are not stored permanently; all updates are lost when the
server is restarted.
</section>
</section>
<section id="catalog-zones">
<h2>6.8. Catalog Zones<a class="headerlink" href="#catalog-zones" title="Permalink to this headline"></a></h2>
A “catalog zone” is a special DNS zone that contains a list of other
zones to be served, along with their configuration parameters. Zones
listed in a catalog zone are called “member zones.” When a catalog zone
is loaded or transferred to a secondary server which supports this
functionality, the secondary server creates the member zones
automatically. When the catalog zone is updated (for example, to add or
delete member zones, or change their configuration parameters), those
changes are immediately put into effect. Because the catalog zone is a
normal DNS zone, these configuration changes can be propagated using the
standard AXFR/IXFR zone transfer mechanism.
The format and behavior of catalog zones are specified in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc9432.html">RFC 9432</a>.
<section id="principle-of-operation">
<h3>6.8.1. Principle of Operation<a class="headerlink" href="#principle-of-operation" title="Permalink to this headline"></a></h3>
Normally, if a zone is to be served by a secondary server, the
<a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a> file on the server must list the zone, or the zone must
be added using <a class="reference internal" href="manpages.html#cmdoption-rndc-arg-addzone"><code class="xref std std-option docutils literal notranslate">rndc addzone</code></a>. In environments with a large number of
secondary servers, and/or where the zones being served are changing
frequently, the overhead involved in maintaining consistent zone
configuration on all the secondary servers can be significant.
A catalog zone is a way to ease this administrative burden: it is a DNS
zone that lists member zones that should be served by secondary servers.
When a secondary server receives an update to the catalog zone, it adds,
removes, or reconfigures member zones based on the data received.
To use a catalog zone, it must first be set up as a normal zone on both the
primary and secondary servers that are configured to use it. It
must also be added to a <a class="reference internal" href="#namedconf-statement-catalog-zones" title="namedconf-statement-catalog-zones"><code class="xref any namedconf namedconf-ref docutils literal notranslate">catalog-zones</code></a> list in the <a class="reference internal" href="reference.html#namedconf-statement-options" title="namedconf-statement-options"><code class="xref namedconf namedconf-ref docutils literal notranslate">options</code></a> or
<a class="reference internal" href="reference.html#namedconf-statement-view" title="namedconf-statement-view"><code class="xref any namedconf namedconf-ref docutils literal notranslate">view</code></a> statement in <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a>. This is comparable to the way a
policy zone is configured as a normal zone and also listed in a
<a class="reference internal" href="reference.html#namedconf-statement-response-policy" title="namedconf-statement-response-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate">response-policy</code></a> statement.
To use the catalog zone feature to serve a new member zone:
<ul class="simple">
<li>Set up the member zone to be served on the primary as normal. This
can be done by editing <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a> or by running
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-addzone"><code class="xref std std-option docutils literal notranslate">rndc addzone</code></a>.</li>
<li>Add an entry to the catalog zone for the new member zone. This can
be done by editing the catalog zone’s zone file and running
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-reload"><code class="xref std std-option docutils literal notranslate">rndc reload</code></a>, or by updating the zone using <a class="reference internal" href="manpages.html#std-iscman-nsupdate"><code class="xref std std-iscman docutils literal notranslate">nsupdate</code></a>.</li>
</ul>
The change to the catalog zone is propagated from the primary to all
secondaries using the normal AXFR/IXFR mechanism. When the secondary receives the
update to the catalog zone, it detects the entry for the new member
zone, creates an instance of that zone on the secondary server, and points
that instance to the <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate">primaries</code></a> specified in the catalog zone data. The
newly created member zone is a normal secondary zone, so BIND
immediately initiates a transfer of zone contents from the primary. Once
complete, the secondary starts serving the member zone.
Removing a member zone from a secondary server requires only
deleting the member zone’s entry in the catalog zone; the change to the
catalog zone is propagated to the secondary server using the normal
AXFR/IXFR transfer mechanism. The secondary server, on processing the
update, notices that the member zone has been removed, stops
serving the zone, and removes it from its list of configured zones.
However, removing the member zone from the primary server must be done
by editing the configuration file or running
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-delzone"><code class="xref std std-option docutils literal notranslate">rndc delzone</code></a>.
</section>
<section id="configuring-catalog-zones">
<h3>6.8.2. Configuring Catalog Zones<a class="headerlink" href="#configuring-catalog-zones" title="Permalink to this headline"></a></h3>
<dl class="namedconf statement">
<dt class="sig sig-object namedconf" id="namedconf-statement-catalog-zones">
catalog-zones<a class="headerlink" href="#namedconf-statement-catalog-zones" title="Permalink to this definition"></a></dt>
<dd>Grammar: <code class="docutils literal notranslate">catalog-zones { zone &lt;string&gt; [ default-primaries [ port &lt;integer&gt; ]&#160; { ( &lt;remote-servers&gt; | &lt;ipv4_address&gt; [ port &lt;integer&gt; ] | &lt;ipv6_address&gt; [ port &lt;integer&gt; ] ) [ key &lt;string&gt; ] [ tls &lt;string&gt; ]; ... } ] [ zone-directory &lt;quoted_string&gt; ] [ in-memory &lt;boolean&gt; ] [ min-update-interval &lt;duration&gt; ]; ... };</code>
Blocks: options, view
Tags: zone
Configures catalog zones in <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a>.

</dd></dl>

Catalog zones are configured with a <a class="reference internal" href="#namedconf-statement-catalog-zones" title="namedconf-statement-catalog-zones"><code class="xref any namedconf namedconf-ref docutils literal notranslate">catalog-zones</code></a> statement in the
<a class="reference internal" href="reference.html#namedconf-statement-options" title="namedconf-statement-options"><code class="xref namedconf namedconf-ref docutils literal notranslate">options</code></a> or <a class="reference internal" href="reference.html#namedconf-statement-view" title="namedconf-statement-view"><code class="xref any namedconf namedconf-ref docutils literal notranslate">view</code></a> section of <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a>. For example:
<div class="highlight-default notranslate"><div class="highlight"><pre>catalog-zones {
 zone &quot;catalog.example&quot;
 default-primaries { 10.53.0.1; }
 in-memory no
 zone-directory &quot;catzones&quot;
 min-update-interval 10;
};
</pre></div>
</div>
This statement specifies that the zone <code class="docutils literal notranslate">catalog.example</code> is a catalog
zone. This zone must be properly configured in the same view. In most
configurations, it would be a secondary zone.
The options following the zone name are not required, and may be
specified in any order.
<dl class="simple">
<dt><code class="docutils literal notranslate">default-masters</code></dt><dd>Synonym for <code class="docutils literal notranslate">default-primaries</code>.
</dd>
<dt><code class="docutils literal notranslate">default-primaries</code></dt><dd>This option defines the default primaries for member
zones listed in a catalog zone, and can be overridden by options within
a catalog zone. If no such options are included, then member zones
transfer their contents from the servers listed in this option.
</dd>
<dt><code class="docutils literal notranslate">in-memory</code></dt><dd>This option, if set to <code class="docutils literal notranslate">yes</code>, causes member zones to be
stored only in memory. This is functionally equivalent to configuring a
secondary zone without a <a class="reference internal" href="reference.html#namedconf-statement-file" title="namedconf-statement-file"><code class="xref any namedconf namedconf-ref docutils literal notranslate">file</code></a> option. The default is <code class="docutils literal notranslate">no</code>; member
zones’ content is stored locally in a file whose name is
automatically generated from the view name, catalog zone name, and
member zone name.
</dd>
<dt><code class="docutils literal notranslate">zone-directory</code></dt><dd>This option causes local copies of member zones’ zone files to be
stored in the specified directory, if <code class="docutils literal notranslate">in-memory</code> is not set to
<code class="docutils literal notranslate">yes</code>. The default is to store zone files in the server’s working
directory. A non-absolute pathname in <code class="docutils literal notranslate">zone-directory</code> is assumed
to be relative to the working directory.
</dd>
<dt><code class="docutils literal notranslate">min-update-interval</code></dt><dd>This option sets the minimum interval between updates to catalog
zones, in seconds. If an update to a catalog zone (for example, via
IXFR) happens less than <code class="docutils literal notranslate">min-update-interval</code> seconds after the
most recent update, the changes are not carried out until this
interval has elapsed. The default is 5 seconds.
</dd>
</dl>
Catalog zones are defined on a per-view basis. Configuring a non-empty
<a class="reference internal" href="#namedconf-statement-catalog-zones" title="namedconf-statement-catalog-zones"><code class="xref any namedconf namedconf-ref docutils literal notranslate">catalog-zones</code></a> statement in a view automatically turns on
<a class="reference internal" href="reference.html#namedconf-statement-allow-new-zones" title="namedconf-statement-allow-new-zones"><code class="xref any namedconf namedconf-ref docutils literal notranslate">allow-new-zones</code></a> for that view. This means that <a class="reference internal" href="manpages.html#cmdoption-rndc-arg-addzone"><code class="xref std std-option docutils literal notranslate">rndc addzone</code></a>
and <a class="reference internal" href="manpages.html#cmdoption-rndc-arg-delzone"><code class="xref std std-option docutils literal notranslate">rndc delzone</code></a> also work in any view that supports catalog
zones.
</section>
<section id="catalog-zone-format">
<h3>6.8.3. Catalog Zone Format<a class="headerlink" href="#catalog-zone-format" title="Permalink to this headline"></a></h3>
A catalog zone is a regular DNS zone; therefore, it must have a single
<code class="docutils literal notranslate">SOA</code> and at least one <code class="docutils literal notranslate">NS</code> record.
A record stating the version of the catalog zone format is also
required. If the version number listed is not supported by the server,
then a catalog zone may not be used by that server.
<div class="highlight-default notranslate"><div class="highlight"><pre>catalog.example. IN SOA . . 2016022901 900 600 86400 1
catalog.example. IN NS invalid.
version.catalog.example. IN TXT &quot;2&quot;
</pre></div>
</div>
Note that this record must have the domain name
<code class="docutils literal notranslate">version.catalog-zone-name</code>. The data
stored in a catalog zone is indicated by the domain name label
immediately before the catalog zone domain. Currently BIND supports catalog zone
schema versions “1” and “2”.
Also note that the catalog zone must have an NS record in order to be a valid
DNS zone, and using the value “invalid.” for NS is recommended.
A member zone is added by including a <code class="docutils literal notranslate">PTR</code> resource record in the
<code class="docutils literal notranslate">zones</code> sub-domain of the catalog zone. The record label can be any unique label.
The target of the PTR record is the member zone name. For example, to add member zones
<code class="docutils literal notranslate">domain.example</code> and <code class="docutils literal notranslate">domain2.example</code>:
<div class="highlight-default notranslate"><div class="highlight"><pre>5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN PTR domain.example.
uniquelabel.zones.catalog.example. IN PTR domain2.example.
</pre></div>
</div>
The label is necessary to identify custom properties (see below) for a specific member zone.
Also, the zone state can be reset by changing its label, in which case BIND will remove
the member zone and add it back.
</section>
<section id="catalog-zone-custom-properties">
<h3>6.8.4. Catalog Zone Custom Properties<a class="headerlink" href="#catalog-zone-custom-properties" title="Permalink to this headline"></a></h3>
BIND uses catalog zones custom properties to define different properties which
can be set either globally for the whole catalog
zone or for a single member zone. Global custom properties override the settings
in the configuration file, and member zone custom properties override global
custom properties.
For the version “1” of the schema custom properties must be placed without a special suffix.
For the version “2” of the schema custom properties must be placed under the “.ext” suffix.
Global custom properties are set at the apex of the catalog zone, e.g.:
<div class="highlight-default notranslate"><div class="highlight"><pre>primaries.ext.catalog.example. IN AAAA 2001:db8::1
</pre></div>
</div>
BIND currently supports the following custom properties:
<ul>
<li>A simple <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate">primaries</code></a> definition:
<div class="highlight-default notranslate"><div class="highlight"><pre>primaries.ext.catalog.example. IN A 192.0.2.1
</pre></div>
</div>
This custom property defines a primary server for the member zones, which can be
either an A or AAAA record. If multiple primaries are set, the order in
which they are used is random.
Note: <code class="docutils literal notranslate">masters</code> can be used as a synonym for <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate">primaries</code></a>.
</li>
<li>A <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate">primaries</code></a> with a TSIG key defined:
<div class="highlight-default notranslate"><div class="highlight"><pre>label.primaries.ext.catalog.example. IN A 192.0.2.2
label.primaries.ext.catalog.example. IN TXT &quot;tsig_key_name&quot;
</pre></div>
</div>
This custom property defines a primary server for the member zone with a TSIG
key set. The TSIG key must be configured in the configuration file.
<code class="docutils literal notranslate">label</code> can be any valid DNS label.
Note: <code class="docutils literal notranslate">masters</code> can be used as a synonym for <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate">primaries</code></a>.
</li>
<li><a class="reference internal" href="reference.html#namedconf-statement-allow-query" title="namedconf-statement-allow-query"><code class="xref any namedconf namedconf-ref docutils literal notranslate">allow-query</code></a> and <a class="reference internal" href="reference.html#namedconf-statement-allow-transfer" title="namedconf-statement-allow-transfer"><code class="xref any namedconf namedconf-ref docutils literal notranslate">allow-transfer</code></a> ACLs:
<div class="highlight-default notranslate"><div class="highlight"><pre>allow-query.ext.catalog.example. IN APL 1:10.0.0.1/24
allow-transfer.ext.catalog.example. IN APL !1:10.0.0.1/32 1:10.0.0.0/24
</pre></div>
</div>
These custom properties are the equivalents of <a class="reference internal" href="reference.html#namedconf-statement-allow-query" title="namedconf-statement-allow-query"><code class="xref any namedconf namedconf-ref docutils literal notranslate">allow-query</code></a> and
<a class="reference internal" href="reference.html#namedconf-statement-allow-transfer" title="namedconf-statement-allow-transfer"><code class="xref any namedconf namedconf-ref docutils literal notranslate">allow-transfer</code></a> options in a zone declaration in the <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a>
configuration file. The ACL is processed in order; if there is no
match to any rule, the default policy is to deny access. For the
syntax of the APL RR, see <a class="rfc reference external" href="https://tools.ietf.org/html/rfc3123.html">RFC 3123</a>.
</li>
</ul>
The member zone-specific custom properties are defined the same way as global
custom properties, but in the member zone subdomain:
<div class="highlight-default notranslate"><div class="highlight"><pre>primaries.ext.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN A 192.0.2.2
label.primaries.ext.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN AAAA 2001:db8::2
label.primaries.ext.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN TXT &quot;tsig_key_name&quot;
allow-query.ext.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN APL 1:10.0.0.0/24
primaries.ext.uniquelabel.zones.catalog.example. IN A 192.0.2.3
</pre></div>
</div>
Custom properties defined for a specific zone override the
global custom properties defined in the catalog zone. These in turn override the
global options defined in the <a class="reference internal" href="#namedconf-statement-catalog-zones" title="namedconf-statement-catalog-zones"><code class="xref any namedconf namedconf-ref docutils literal notranslate">catalog-zones</code></a> statement in the
configuration file.
Note that none of the global records for a custom property are inherited if any
records are defined for that custom property for the specific zone. For example,
if the zone had a <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate">primaries</code></a> record of type A but not AAAA, it
would not inherit the type AAAA record from the global custom property
or from the global option in the configuration file.
</section>
<section id="change-of-ownership-coo">
<h3>6.8.5. Change of Ownership (coo)<a class="headerlink" href="#change-of-ownership-coo" title="Permalink to this headline"></a></h3>
BIND supports the catalog zones “Change of Ownership” (coo) property. When the
same entry which exists in one catalog zone is added into another catalog zone,
the default behavior for BIND is to ignore it, and continue serving the zone
using the catalog zone where it was originally existed, unless it is removed
from there, then it can be added into the new one.
Using the <code class="docutils literal notranslate">coo</code> property it is possible to gracefully move a zone from one
catalog zone into another, by letting the catalog consumers know that it is
permitted to do so. To do that, the original catalog zone should be updated with
a new record with <code class="docutils literal notranslate">coo</code> custom property:
<div class="highlight-default notranslate"><div class="highlight"><pre>uniquelabel.zones.catalog.example. IN PTR domain2.example.
coo.uniquelabel.zones.catalog.example. IN PTR catalog2.example.
</pre></div>
</div>
Here, the <code class="docutils literal notranslate">catalog.example</code> catalog zone gives permission for the member zone
with label “uniquelabel” to be transferred into <code class="docutils literal notranslate">catalog2.example</code> catalog
zone. Catalog consumers which support the <code class="docutils literal notranslate">coo</code> property will then take note,
and when the zone is finally added into <code class="docutils literal notranslate">catalog2.example</code> catalog zone,
catalog consumers will change the ownership of the zone from <code class="docutils literal notranslate">catalog.example</code>
to <code class="docutils literal notranslate">catalog2.example</code>. BIND’s implementation simply deletes the zone from the
old catalog zone and adds it back into the new catalog zone, which also means
that all associated state for the just migrated zone will be reset, including
when the unique label is the same.
The record with <code class="docutils literal notranslate">coo</code> custom property can be later deleted by the
catalog zone operator after confirming that all the consumers have received
it and have successfully changed the ownership of the zone.
</section>
</section>
<section id="dns-firewalls-and-response-policy-zones">
<h2>6.9. DNS Firewalls and Response Policy Zones<a class="headerlink" href="#dns-firewalls-and-response-policy-zones" title="Permalink to this headline"></a></h2>
A DNS firewall examines DNS traffic and allows some responses to pass
through while blocking others. This examination can be based on several
criteria, including the name requested, the data (such as an IP address)
associated with that name, or the name or IP address of the name server
that is authoritative for the requested name. Based on these criteria, a
DNS firewall can be configured to discard, modify, or replace the original
response, allowing administrators more control over what systems can access
or be accessed from their networks.
DNS Response Policy Zones (RPZ) are a form of DNS firewall in which the
firewall rules are expressed within the DNS itself - encoded in an open,
vendor-neutral format as records in specially constructed DNS zones.
Using DNS zones to configure policy allows policy to be shared from
one server to another using the standard DNS zone transfer mechanism.
This allows a DNS operator to maintain their own firewall policies and
share them easily amongst their internal name servers, or to subscribe to
external firewall policies such as commercial or cooperative “threat
feeds,” or both.
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate">named</code></a> can subscribe to up to 64 Response Policy Zones, each of which
encodes a separate policy rule set. Each rule is stored in a DNS resource
record set (RRset) within the RPZ, and consists of a trigger and an
action. There are five types of triggers and six types of actions.
A response policy rule in a DNS RPZ can be triggered as follows:
<ul class="simple">
<li>by the IP address of the client</li>
<li>by the query name</li>
<li>by an address which would be present in a truthful response</li>
<li>by the name or address of an authoritative name server responsible for
publishing the original response</li>
</ul>
A response policy action can be one of the following:
<ul class="simple">
<li>to synthesize a “domain does not exist” (NXDOMAIN) response</li>
<li>to synthesize a “name exists but there are no records of the requested
type” (NODATA) response</li>
<li>to drop the response</li>
<li>to switch to TCP by sending a truncated UDP response that requires the
DNS client to try again with TCP</li>
<li>to replace/override the response’s data with specific data (provided
within the response policy zone)</li>
<li>to exempt the response from further policy processing</li>
</ul>
The most common use of a DNS firewall is to “poison” a domain name, IP
address, name server name, or name server IP address. Poisoning is usually
done by forcing a synthetic “domain does not exist” (NXDOMAIN) response.
This means that if an administrator maintains a list of known “phishing”
domains, these names can be made unreachable by customers or end users just
by adding a firewall policy into the recursive DNS server, with a trigger
for each known “phishing” domain, and an action in every case forcing a
synthetic NXDOMAIN response. It is also possible to use a data-replacement
action such as answering for these known “phishing” domains with the name
of a local web server that can display a warning page. Such a web server
would be called a “walled garden.”
<div class="admonition note">
Note
Authoritative name servers can be responsible for many different domains.
If DNS RPZ is used to poison all domains served by some authoritative
name server name or address, the effects can be quite far-reaching. Users
are advised to ensure that such authoritative name servers do not also
serve domains that should not be poisoned.
</div>
<section id="why-use-a-dns-firewall">
<h3>6.9.1. Why Use a DNS Firewall?<a class="headerlink" href="#why-use-a-dns-firewall" title="Permalink to this headline"></a></h3>
Criminal and network abuse traffic on the Internet often uses the Domain
Name System (DNS), so protection against these threats should include DNS
firewalling. A DNS firewall can selectively intercept DNS queries for
known network assets including domain names, IP addresses, and name
servers. Interception can mean rewriting a DNS response to direct a web
browser to a “walled garden,” or simply making any malicious network assets
invisible and unreachable.
</section>
<section id="what-can-a-dns-firewall-do">
<h3>6.9.2. What Can a DNS Firewall Do?<a class="headerlink" href="#what-can-a-dns-firewall-do" title="Permalink to this headline"></a></h3>
Firewalls work by applying a set of rules to a traffic flow, where each
rule consists of a trigger and an action. Triggers determine which messages
within the traffic flow are handled specially, and actions determine what
that special handling is. For a DNS firewall, the traffic flow to be
controlled consists of responses sent by a recursive DNS server to its
end-user clients. Some true responses are not safe for all clients, so the
policy rules in a DNS firewall allow some responses to be intercepted and
replaced with safer content.
</section>
<section id="creating-and-maintaining-rpz-rule-sets">
<h3>6.9.3. Creating and Maintaining RPZ Rule Sets<a class="headerlink" href="#creating-and-maintaining-rpz-rule-sets" title="Permalink to this headline"></a></h3>
In DNS RPZ, the DNS firewall policy rule set is stored in a DNS zone, which
is maintained and synchronized using the same tools and methods as for any
other DNS zone. The primary name server for a DNS RPZ may be an internal
server, if an administrator is creating and maintaining their own DNS
policy zone, or it may be an external name server (such as a security
vendor’s server), if importing a policy zone published externally. The
primary copy of the DNS firewall policy can be a DNS “zone file” which is
either edited by hand or generated from a database. A DNS zone can also be
edited indirectly using DNS dynamic updates (for example, using the
“nsupdate” shell level utility).
DNS RPZ allows firewall rules to be expressed in a DNS zone format and then
carried to subscribers as DNS data. A recursive DNS server which is capable
of processing DNS RPZ synchronizes these DNS firewall rules using the same
standard DNS tools and protocols used for secondary name service. The DNS
policy information is then promoted to the DNS control plane inside the
customer’s DNS resolver, making that server into a DNS firewall.
A security company whose products include threat intelligence feeds can use
a DNS Response Policy Zone (RPZ) as a delivery channel to customers.
Threats can be expressed as known-malicious IP addresses and subnets,
known-malicious domain names, and known-malicious domain name servers. By
feeding this threat information directly into customers’ local DNS
resolvers, providers can transform these DNS servers into a distributed DNS
firewall.
When a customer’s DNS resolver is connected by a realtime subscription to a
threat intelligence feed, the provider can protect the customer’s end users
from malicious network elements (including IP addresses and subnets, domain
names, and name servers) immediately as they are discovered. While it may
take days or weeks to “take down” criminal and abusive infrastructure once
reported, a distributed DNS firewall can respond instantly.
Other distributed TCP/IP firewalls have been on the market for many years,
and enterprise users are now comfortable importing real-time threat
intelligence from their security vendors directly into their firewalls.
This intelligence can take the form of known-malicious IP addresses or
subnets, or of patterns which identify known-malicious email attachments,
file downloads, or web addresses (URLs). In some products it is also
possible to block DNS packets based on the names or addresses they carry.
</section>
<section id="limitations-of-dns-rpz">
<h3>6.9.4. Limitations of DNS RPZ<a class="headerlink" href="#limitations-of-dns-rpz" title="Permalink to this headline"></a></h3>
We’re often asked if DNS RPZ could be used to set up redirection to a CDN.
For example, if “mydomain.com” is a normal domain with SOA, NS, MX, TXT
records etc., then if someone sends an A or AAAA query for “mydomain.com”,
can we use DNS RPZ on an authoritative nameserver to return “CNAME
mydomain.com.my-cdn-provider.net”?
The problem with this suggestion is that there is no way to CNAME only A
and AAAA queries, not even with RPZ.
The underlying reason is that if the authoritative server answers with a
CNAME, the recursive server making that query will cache the response.
Thereafter (while the CNAME is still in cache), it assumes that there are
no records of any non-CNAME type for the name that was being queried, and
directs subsequent queries for all other types directly to the target name
of the CNAME record.
To be clear, this is not a limitation of RPZ; it is a function of the way
the DNS protocol works. It’s simply not possible to use “partial” CNAMES to
help when setting up CDNs because doing this will break other functionality
such as email routing.
Similarly, following the DNS protocol definition, wildcards in the form of
<code class="docutils literal notranslate">*.example</code> records might behave in unintuitive ways. For a detailed
definition of wildcards in DNS, please see <a class="rfc reference external" href="https://tools.ietf.org/html/rfc4592.html">RFC 4592</a>, especially section 2.
</section>
<section id="dns-firewall-usage-examples">
<h3>6.9.5. DNS Firewall Usage Examples<a class="headerlink" href="#dns-firewall-usage-examples" title="Permalink to this headline"></a></h3>
Here are some scenarios in which a DNS firewall might be useful.
Some known threats are based on an IP address or subnet (IP address range).
For example, an analysis may show that all addresses in a “class C” network
are used by a criminal gang for “phishing” web servers. With a DNS firewall
based on DNS RPZ, a firewall policy can be created such as “if a DNS lookup
would result in an address from this class C network, then answer instead
with an NXDOMAIN indication.” That simple rule would prevent any end users
inside customers’ networks from being able to look up any domain name used
in this phishing attack – without having to know in advance what those
names might be.
Other known threats are based on domain names. An analysis may determine
that a certain domain name or set of domain names is being or will shortly
be used for spamming, phishing, or other Internet-based attacks which all
require working domain names. By adding name-triggered rules to a
distributed DNS firewall, providers can protect customers’ end users from
any attacks which require them to be able to look up any of these malicious
names. The names can be wildcards (for example, *.evil.com), and these
wildcards can have exceptions if some domains are not as malicious as
others (if *.evil.com is bad, then not.evil.com might be an exception).
Alongside growth in electronic crime has come growth of electronic criminal
expertise. Many criminal gangs now maintain their own extensive DNS
infrastructure to support a large number of domain names and a diverse set
of IP addressing resources. Analyses show in many cases that the only truly
fixed assets criminal organizations have are their name servers, which are
by nature slightly less mobile than other network assets. In such cases,
DNS administrators can anchor their DNS firewall policies in the abusive
name server names or name server addresses, and thus protect their
customers’ end users from threats where neither the domain name nor the IP
address of that threat is known in advance.
Electronic criminals rely on the full resiliency of DNS just as the rest of
digital society does. By targeting criminal assets at the DNS level we can
deny these criminals the resilience they need. A distributed DNS firewall
can leverage the high skills of a security company to protect a large
number of end users. DNS RPZ, as the first open and vendor-neutral
distributed DNS firewall, can be an effective way to deliver threat
intelligence to customers.
<section id="a-real-world-example-of-dns-rpz-s-value">
<h4>6.9.5.1. A Real-World Example of DNS RPZ’s Value<a class="headerlink" href="#a-real-world-example-of-dns-rpz-s-value" title="Permalink to this headline"></a></h4>
The Conficker malware worm (<a class="reference external" href="https://en.wikipedia.org/wiki/Conficker">https://en.wikipedia.org/wiki/Conficker</a>) was
first detected in 2008. Although it is no longer an active threat, the
techniques described here can be applied to other DNS threats.
Conficker used a domain generation algorithm (DGA) to choose up to 50,000
command and control domains per day. It would be impractical to create
an RPZ that contains so many domain names and changes so much on a daily
basis. Instead, we can trigger RPZ rules based on the names of the name
servers that are authoritative for the command and control domains, rather
than trying to trigger on each of 50,000 different (daily) query names.
Since the well-known name server names for Conficker’s domain names are
never used by nonmalicious domains, it is safe to poison all lookups that
rely on these name servers. Here is an example that achieves this result:
<div class="highlight-none notranslate"><div class="highlight"><pre>$ORIGIN rpz.example.com.
ns.0xc0f1c3a5.com.rpz-nsdname CNAME *.walled-garden.example.com.
ns.0xc0f1c3a5.net.rpz-nsdname CNAME *.walled-garden.example.com.
ns.0xc0f1c3a5.org.rpz-nsdname CNAME *.walled-garden.example.com.
</pre></div>
</div>
The <code class="docutils literal notranslate">*</code> at the beginning of these CNAME target names is special, and it
causes the original query name to be prepended to the CNAME target. So if a
user tries to visit the Conficker command and control domain
racaldftn.com.ai (which was a valid Conficker command and control
domain name on 19-October-2011), the RPZ-configured recursive name server
will send back this answer:
<div class="highlight-none notranslate"><div class="highlight"><pre>racaldftn.com.ai. CNAME racaldftn.com.ai.walled-garden.example.com.
racaldftn.com.ai.walled-garden.example.com. A 192.168.50.3
</pre></div>
</div>
This example presumes that the following DNS content has also been created,
which is not part of the RPZ zone itself but is in another domain:
<div class="highlight-none notranslate"><div class="highlight"><pre>$ORIGIN walled-garden.example.com.
* A 192.168.50.3
</pre></div>
</div>
Assuming that we’re running a web server listening on 192.168.50.3 that
always displays a warning message no matter what uniform resource
identifier (URI) is used, the above RPZ configuration will instruct the web
browser of any infected end user to connect to a “server name” consisting
of their original lookup name (racaldftn.com.ai) prepended to the walled
garden domain name (walled-garden.example.com). This is the name that will
appear in the web server’s log file, and having the full name in that log
file will facilitate an analysis as to which users are infected with what
virus.
</section>
</section>
<section id="keeping-firewall-policies-updated">
<h3>6.9.6. Keeping Firewall Policies Updated<a class="headerlink" href="#keeping-firewall-policies-updated" title="Permalink to this headline"></a></h3>
It is vital for overall system performance that incremental zone transfers
(see <a class="rfc reference external" href="https://tools.ietf.org/html/rfc1995.html">RFC 1995</a>) and real-time change notification (see <a class="rfc reference external" href="https://tools.ietf.org/html/rfc1996.html">RFC 1996</a>) be
used to synchronize DNS firewall rule sets between the publisher’s primary
copy of the rule set and the subscribers’ working copies of the rule set.
If DNS dynamic updates are used to maintain a DNS RPZ rule set, the name
server automatically calculates a stream of deltas for use when sending
incremental zone transfers to the subscribing name servers. Sending a
stream of deltas – known as an “incremental zone transfer” or IXFR – is
usually much faster than sending the full zone every time it changes, so
it’s worth the effort to use an editing method that makes such incremental
transfers possible.
Administrators who edit or periodically regenerate a DNS RPZ rule set and
whose primary name server uses BIND can enable the
<a class="reference internal" href="reference.html#namedconf-statement-ixfr-from-differences" title="namedconf-statement-ixfr-from-differences"><code class="xref any namedconf namedconf-ref docutils literal notranslate">ixfr-from-differences</code></a> option, which tells the primary name server to
calculate the differences between each new zone and the preceding version,
and to make these differences available as a stream of deltas for use in
incremental zone transfers to the subscribing name servers. This will look
something like the following:
<div class="highlight-c notranslate"><div class="highlight"><pre>options {
 // ...
 ixfr-from-differences yes;
 // ...
};
</pre></div>
</div>
As mentioned above, the simplest and most common use of a DNS firewall is
to poison domain names known to be purely malicious, by simply making them
disappear. All DNS RPZ rules are expressed as resource record sets
(RRsets), and the way to express a “force a name-does-not-exist condition”
is by adding a CNAME pointing to the root domain (<code class="docutils literal notranslate">.</code>). In practice this
looks like:
<div class="highlight-none notranslate"><div class="highlight"><pre>$ORIGIN rpz.example.com.
malicious1.org CNAME .
*.malicious1.org CNAME .
malicious2.org CNAME .
*.malicious2.org CNAME .
</pre></div>
</div>
Two things are noteworthy in this example. First, the malicious names are
made relative within the response policy zone. Since there is no trailing
dot following “.org” in the above example, the actual RRsets created within
this response policy zone are, after expansion:
<div class="highlight-none notranslate"><div class="highlight"><pre>malicious1.org.rpz.example.com. CNAME .
*.malicious1.org.rpz.example.com. CNAME .
malicious2.org.rpz.example.com. CNAME .
*.malicious2.org.rpz.example.com. CNAME .
</pre></div>
</div>
Second, for each name being poisoned, a wildcard name is also listed.
This is because a malicious domain name probably has or may potentially
have malicious subdomains.
In the above example, the relative domain names <cite>malicious1.org</cite> and
<cite>malicious2.org</cite> will match only the real domain names <cite>malicious1.org</cite>
and <cite>malicious2.org</cite>, respectively. The relative domain names
<cite>*.malicious1.org</cite> and <cite>*.malicious2.org</cite> will match any
<cite>subdomain.of.malicious1.org</cite> or <cite>subdomain.of.malicious2.org</cite>,
respectively.
This example forces an NXDOMAIN condition as its policy action, but other
policy actions are also possible.
</section>
<section id="performance-and-scalability-when-using-multiple-rpzs">
<h3>6.9.7. Performance and Scalability When Using Multiple RPZs<a class="headerlink" href="#performance-and-scalability-when-using-multiple-rpzs" title="Permalink to this headline"></a></h3>
Since version 9.10, BIND can be configured to have different response
policies depending on the identity of the querying client and the nature of
the query. To configure BIND response policy, the information is placed
into a zone file whose only purpose is conveying the policy information to
BIND. A zone file containing response policy information is called a
Response Policy Zone, or RPZ, and the mechanism in BIND that uses the
information in those zones is called DNS RPZ.
It is possible to use as many as 64 separate RPZ files in a single instance
of BIND, and BIND is not significantly slowed by such heavy use of RPZ.
(Note: by default, BIND 9.11 only supports up to 32 RPZ files, but this
can be increased to 64 at compile time. All other supported versions of
BIND support 64 by default.)
Each one of the policy zone files can specify policy for as many
different domains as necessary. The limit of 64 is on the number of
independently-specified policy collections and not the number of zones
for which they specify policy.
Policy information from all of the policy zones together are stored in a
special data structure allowing simultaneous lookups across all policy
zones to be performed very rapidly. Looking up a policy rule is
proportional to the logarithm of the number of rules in the largest
single policy zone.
</section>
<section id="practical-tips-for-dns-firewalls-and-dns-rpz">
<h3>6.9.8. Practical Tips for DNS Firewalls and DNS RPZ<a class="headerlink" href="#practical-tips-for-dns-firewalls-and-dns-rpz" title="Permalink to this headline"></a></h3>
Administrators who subscribe to an externally published DNS policy zone and
who have a large number of internal recursive name servers should create an
internal name server called a “distribution master” (DM). The DM is a
secondary (stealth secondary) name server from the publisher’s point of
view; that is, the DM is fetching zone content from the external server.
The DM is also a primary name server from the internal recursive name
servers’ point of view: they fetch zone content from the DM. In this
configuration the DM is acting as a gateway between the external publisher
and the internal subscribers.
The primary server must know the unicast listener address of every
subscribing recursive server, and must enumerate all of these addresses as
destinations for real time zone change notification (as described in
<a class="rfc reference external" href="https://tools.ietf.org/html/rfc1996.html">RFC 1996</a>). So if an enterprise-wide RPZ is called “rpz.example.com” and
if the unicast listener addresses of four of the subscribing recursive name
servers are 192.0.200.1, 192.0.201.1, 192.0.202.1, and 192.0.203.1, the
primary server’s configuration looks like this:
<div class="highlight-c notranslate"><div class="highlight"><pre>zone &quot;rpz.example.com&quot; {
 type primary;
 file &quot;primary/rpz.example.com&quot;;
 notify explicit;
 also-notify { 192.0.200.1;
 192.0.201.1;
 192.0.202.1;
 192.0.203.1; };
 allow-transfer { 192.0.200.1;
 192.0.201.1;
 192.0.202.1;
 192.0.203.1; };
 allow-query { localhost; };
};
</pre></div>
</div>
Each recursive DNS server that subscribes to the policy zone must be
configured as a secondary server for the zone, and must also be configured
to use the policy zone for local response policy. To subscribe a recursive
name server to a response policy zone where the unicast listener address
of the primary server is 192.0.220.2, the server’s configuration should
look like this:
<div class="highlight-c notranslate"><div class="highlight"><pre>options {
 // ...
 response-policy {
 zone &quot;rpz.example.com&quot;;
 };
 // ...
};

zone &quot;rpz.example.com&quot;;
 type secondary;
 primaries { 192.0.222.2; };
 file &quot;secondary/rpz.example.com&quot;;
 allow-query { localhost; };
 allow-transfer { none; };
};
</pre></div>
</div>
Note that queries are restricted to “localhost,” since query access is
never used by DNS RPZ itself, but may be useful to DNS operators for use in
debugging. Transfers should be disallowed to prevent policy information
leaks.
If an organization’s business continuity depends on full connectivity with
another company whose ISP also serves some criminal or abusive customers,
it’s possible that one or more external RPZ providers – that is, security
feed vendors – may eventually add some RPZ rules that could hurt a
company’s connectivity to its business partner. Users can protect
themselves from this risk by using an internal RPZ in addition to any
external RPZs, and by putting into their internal RPZ some “pass-through”
rules to prevent any policy action from affecting a DNS response that
involves a business partner.
A recursive DNS server can be connected to more than one RPZ, and these are
searched in order. Therefore, to protect a network from dangerous policies
which may someday appear in external RPZ zones, administrators should list
the internal RPZ zones first.
<div class="highlight-c notranslate"><div class="highlight"><pre>options {
 // ...
 response-policy {
 zone &quot;rpz.example.com&quot;;
 zone &quot;rpz.security-vendor-1.com&quot;;
 zone &quot;rpz.security-vendor-2.com&quot;;
 };
 // ...
};
</pre></div>
</div>
Within an internal RPZ, there need to be rules describing the network
assets of business partners whose communications need to be protected.
Although it is not generally possible to know what domain names they use,
administrators will be aware of what address space they have and perhaps
what name server names they use.
<div class="highlight-none notranslate"><div class="highlight"><pre>$ORIGIN rpz.example.com.
8.0.0.0.10.rpz-ip CNAME rpz-passthru.
16.0.0.45.128.rpz-nsip CNAME rpz-passthru.
ns.partner1.com.rpz-nsdname CNAME rpz-passthru.
ns.partner2.com.rpz-nsdname CNAME rpz-passthru.
</pre></div>
</div>
Here, we know that answers in address block 10.0.0.0/8 indicate a business
partner, as well as answers involving any name server whose address is in
the 128.45.0.0/16 address block, and answers involving the name servers
whose names are ns.partner1.com or ns.partner2.com.
The above example demonstrates that when matching by answer IP address (the
.rpz-ip owner), or by name server IP address (the .rpz-nsip owner) or by
name server domain name (the .rpz-nsdname owner), the special RPZ marker
(.rpz-ip, .rpz-nsip, or .rpz-nsdname) does not appear as part of the CNAME
target name.
By triggering these rules using the known network assets of a partner,
and using the “pass-through” policy action, no later RPZ processing
(which in the above example refers to the “rpz.security-vendor-1.com” and
“rpz.security-vendor-2.com” policy zones) will have any effect on DNS
responses for partner assets.
</section>
<section id="creating-a-simple-walled-garden-triggered-by-ip-address">
<h3>6.9.9. Creating a Simple Walled Garden Triggered by IP Address<a class="headerlink" href="#creating-a-simple-walled-garden-triggered-by-ip-address" title="Permalink to this headline"></a></h3>
It may be the case that the only thing known about an attacker is the IP
address block they are using for their “phishing” web servers. If the
domain names and name servers they use are unknown, but it is known that
every one of their “phishing” web servers is within a small block of IP
addresses, a response can be triggered on all answers that would include
records in this address range, using RPZ rules that look like the following
example:
<div class="highlight-none notranslate"><div class="highlight"><pre>$ORIGIN rpz.example.com.
22.0.212.94.109.rpz-ip CNAME drop.garden.example.com.
*.212.94.109.in-addr.arpa CNAME .
*.213.94.109.in-addr.arpa CNAME .
*.214.94.109.in-addr.arpa CNAME .
*.215.94.109.in-addr.arpa CNAME .
</pre></div>
</div>
Here, if a truthful answer would include an A (address) RR (resource
record) whose value were within the 109.94.212.0/22 address block, then a
synthetic answer is sent instead of the truthful answer. Assuming the query
is for www.malicious.net, the synthetic answer is:
<div class="highlight-none notranslate"><div class="highlight"><pre>www.malicious.net. CNAME drop.garden.example.com.
drop.garden.example.com. A 192.168.7.89
</pre></div>
</div>
This assumes that <cite>drop.garden.example.com</cite> has been created as real DNS
content, outside of the RPZ:
<div class="highlight-none notranslate"><div class="highlight"><pre>$ORIGIN example.com.
drop.garden A 192.168.7.89
</pre></div>
</div>
In this example, there is no “*” in the CNAME target name, so the original
query name will not be present in the walled garden web server’s log file.
This is an undesirable loss of information, and is shown here for example
purposes only.
The above example RPZ rules would also affect address-to-name (also
known as “reverse DNS”) lookups for the unwanted addresses. If a mail
or web server receives a connection from an address in the example’s
109.94.212.0/22 address block, it will perform a PTR record lookup to
find the domain name associated with that IP address.
This kind of address-to-name translation is usually used for diagnostic or
logging purposes, but it is also common for email servers to reject any
email from IP addresses which have no address-to-name translation. Most
mail from such IP addresses is spam, so the lack of a PTR record here has
some predictive value. By using the “force name-does-not-exist” policy
trigger on all lookups in the PTR name space associated with an address
block, DNS administrators can give their servers a hint that these IP
addresses are probably sending junk.
</section>
<section id="a-known-inconsistency-in-dns-rpz-s-nsdname-and-nsip-rules">
<h3>6.9.10. A Known Inconsistency in DNS RPZ’s NSDNAME and NSIP Rules<a class="headerlink" href="#a-known-inconsistency-in-dns-rpz-s-nsdname-and-nsip-rules" title="Permalink to this headline"></a></h3>
Response Policy Zones define several possible triggers for each rule, and
among these two are known to produce inconsistent results. This is not a
bug; rather, it relates to inconsistencies in the DNS delegation model.
<section id="dns-delegation">
<h4>6.9.10.1. DNS Delegation<a class="headerlink" href="#dns-delegation" title="Permalink to this headline"></a></h4>
In DNS authority data, an NS RRset that is not at the apex of a DNS zone
creates a sub-zone. That sub-zone’s data is separate from the current (or
“parent”) zone, and it can have different authoritative name servers than
the current zone. In this way, the root zone leads to COM, NET, ORG, and so
on, each of which have their own name servers and their own way of managing
their authoritative data. Similarly, ORG has delegations to ISC.ORG and to
millions of other “dot-ORG” zones, each of which can have its own set of
authoritative name servers. In the parlance of the protocol, these NS
RRsets below the apex of a zone are called “delegation points.” An
NS RRset at a delegation point contains a list of authoritative servers
to which the parent zone is delegating authority for all names at or below
the delegation point.
At the apex of every zone there is also an NS RRset. Ideally, this
so-called “apex NS RRset” should be identical to the “delegation point NS
RRset” in the parent zone, but this ideal is not always achieved. In the
real DNS, it’s almost always easier for a zone administrator to update one
of these NS RRsets than the other, so that one will be correct and the
other out of date. This inconsistency is so common that it’s been
necessarily rendered harmless: domains that are inconsistent in this way
are less reliable and perhaps slower, but they still function as long as
there is some overlap between each of the NS RRsets and the truth. (“Truth”
in this case refers to the actual set of name servers that are
authoritative for the zone.)
</section>
<section id="a-quick-review-of-dns-iteration">
<h4>6.9.10.2. A Quick Review of DNS Iteration<a class="headerlink" href="#a-quick-review-of-dns-iteration" title="Permalink to this headline"></a></h4>
In DNS recursive name servers, an incoming query that cannot be answered
from the local cache is sent to the closest known delegation point for the
query name. For example, if a server is looking up XYZZY.ISC.ORG and it
the name servers for ISC.ORG, then it sends the query to those servers
directly; however, if it has never heard of ISC.ORG before, it must first
send the query to the name servers for ORG (or perhaps even to the root
zone that is the parent of ORG).
When it asks one of the parent name servers, that server will not have an
answer, so it sends a “referral” consisting only of the “delegation point
NS RRset.” Once the server receives this referral, it “iterates” by sending
the same query again, but this time to name servers for a more specific
part of the query name. Eventually this iteration terminates, usually by
getting an answer or a “name error” (NXDOMAIN) from the query name’s
authoritative server, or by encountering some type of server failure.
When an authoritative server for the query name sends an answer, it has the
option of including a copy of the zone’s apex NS RRset. If this occurs, the
recursive name server caches this NS RRset, replacing the delegation point
NS RRset that it had received during the iteration process. In the parlance
of the DNS, the delegation point NS RRset is “glue,” meaning
non-authoritative data, or more of a hint than a real truth. On the other
hand, the apex NS RRset is authoritative data, coming as it does from the
zone itself, and it is considered more credible than the “glue.” For this
reason, it’s a little bit more important that the apex NS RRset be correct
than that the delegation point NS RRset be correct, since the former will
quickly replace the latter, and will be used more often for a longer total
period of time.
Importantly, the authoritative name server need not include its apex NS
RRset in any answers, and recursive name servers do not ordinarily query
directly for this RRset. Therefore it is possible for the apex NS RRset to
be completely wrong without any operational ill-effects, since the wrong
data need not be exposed. Of course, if a query comes in for this NS RRset,
most recursive name servers will forward the query to the zone’s authority
servers, since it’s bad form to return “glue” data when asked a specific
question. In these corner cases, bad apex NS RRset data can cause a zone to
become unreachable unpredictably, according to what other queries the
recursive name server has processed.
There is another kind of “glue,” for name servers whose names are below
delegation points. If ORG delegates ISC.ORG to NS-EXT.ISC.ORG, the ORG
server needs to know an address for NS-EXT.ISC.ORG and return this address
as part of the delegation response. However, the name-to-address binding
for this name server is only authoritative inside the ISC.ORG zone;
therefore, the A or AAAA RRset given out with the delegation is
non-authoritative “glue,” which is replaced by an authoritative RRset if
one is seen. As with apex NS RRsets, the real A or AAAA RRset is not
automatically queried for by the recursive name server, but is queried for
if an incoming query asks for this RRset.
</section>
<section id="enter-rpz">
<h4>6.9.10.3. Enter RPZ<a class="headerlink" href="#enter-rpz" title="Permalink to this headline"></a></h4>
RPZ has two trigger types that are intended to allow policy zone authors to
target entire groups of domains based on those domains all being served by
the same DNS servers: NSDNAME and NSIP. The NSDNAME and NSIP rules are
matched against the name and IP address (respectively) of the nameservers
of the zone the answer is in, and all of its parent zones. In its default
configuration, BIND actively fetches any missing NS RRsets and address
records. If, in the process of attempting to resolve the names of all of
these delegated server names, BIND receives a SERVFAIL response for any of
the queries, then it aborts the policy rule evaluation and returns SERVFAIL
for the query. This is technically neither a match nor a non-match of the
rule.
Every “.” in a fully qualified domain name (FQDN) represents a potential
delegation point. When BIND goes searching for parent zone NS RRsets (and,
in the case of NSIP, their accompanying address records), it has to check
every possible delegation point. This can become a problem for some
specialized pseudo-domains, such as some domain name and network reputation
systems, that have many “.” characters in the names. It is further
complicated if that system also has non-compliant DNS servers that silently
drop queries for NS and SOA records. This forces BIND to wait for those
queries to time out before it can finish evaluating the policy rule, even
if this takes longer than a reasonable client typically waits for an answer
(delays of over 60 seconds have been observed).
While both of these cases do involve configurations and/or servers that are
technically “broken,” they may still “work” outside of RPZ NSIP and NSDNAME
rules because of redundancy and iteration optimizations.
There are two RPZ options, <code class="docutils literal notranslate">nsip-wait-recurse</code> and <code class="docutils literal notranslate">nsdname-wait-recurse</code>,
that alter BIND’s behavior by allowing it to use only those records that
already exist in the cache when evaluating NSIP and NSDNAME rules,
respectively.
Therefore NSDNAME and NSIP rules are unreliable. The rules may be matched
against either the apex NS RRset or the “glue” NS RRset, each with their
associated addresses (that also might or might not be “glue”). It’s in the
administrator’s interests to discover both the delegation name server names
and addresses, and the apex name server names and authoritative address
records, to ensure correct use of NS and NSIP triggers in RPZ. Even then,
there may be collateral damage to completely unrelated domains that
otherwise “work,” just by having NSIP and NSDNAME rules.
</section>
</section>
<section id="example-using-rpz-to-disable-mozilla-doh-by-default">
<h3>6.9.11. Example: Using RPZ to Disable Mozilla DoH-by-Default<a class="headerlink" href="#example-using-rpz-to-disable-mozilla-doh-by-default" title="Permalink to this headline"></a></h3>
Mozilla announced in September 2019 that they would enable DNS-over-HTTPS
(DoH) for all US-based users of the Firefox browser, sending all their DNS
queries to predefined DoH providers (Cloudflare’s 1.1.1.1 service in
particular). This is a concern for some network administrators who do not
want their users’ DNS queries to be rerouted unexpectedly. However,
Mozilla provides a mechanism to disable the DoH-by-default setting:
if the Mozilla-owned domain <a class="reference external" href="https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet">use-application-dns.net</a>
returns an NXDOMAIN response code, Firefox will not use DoH.
To accomplish this using RPZ:
<ol class="arabic simple">
<li>Create a polizy zone file called <code class="docutils literal notranslate">mozilla.rpz.db</code> configured so
that NXDOMAIN will be returned for any query to <code class="docutils literal notranslate">use-application-dns.net</code>:</li>
</ol>
<div class="highlight-none notranslate"><div class="highlight"><pre>$TTL 604800
$ORIGIN mozilla.rpz.
@ IN SOA localhost. root.localhost. 1 604800 86400 2419200 604800
@ IN NS localhost.
use-application-dns.net CNAME .
</pre></div>
</div>
<ol class="arabic simple" start="2">
<li>Add the zone into the BIND configuration (usually <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate">named.conf</code></a>):</li>
</ol>
<div class="highlight-c notranslate"><div class="highlight"><pre>zone mozilla.rpz {
 type primary;
 file &quot;/&lt;PATH_TO&gt;/mozilla.rpz.db&quot;;
 allow-query { localhost; };
};
</pre></div>
</div>
<ol class="arabic simple" start="3">
<li>Enable use of the Response Policy Zone for all incoming queries
by adding the <a class="reference internal" href="reference.html#namedconf-statement-response-policy" title="namedconf-statement-response-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate">response-policy</code></a> directive into the <code class="docutils literal notranslate">options {}</code>
section:</li>
</ol>
<div class="highlight-c notranslate"><div class="highlight"><pre>options {
 response-policy { zone mozilla.rpz; } break-dnssec yes;
};
</pre></div>
</div>
<ol class="arabic simple" start="4">
<li>Reload the configuration and test whether the Response Policy
Zone that was just added is in effect:</li>
</ol>
<div class="highlight-shell-session notranslate"><div class="highlight"><pre># rndc reload
# dig IN A use-application-dns.net @&lt;IP_ADDRESS_OF_YOUR_RESOLVER&gt;
# dig IN AAAA use-application-dns.net @&lt;IP_ADDRESS_OF_YOUR_RESOLVER&gt;
</pre></div>
</div>
The response should return NXDOMAIN instead of the list of IP addresses,
and the BIND 9 log should contain lines like this:
<div class="highlight-none notranslate"><div class="highlight"><pre>09-Sep-2019 18:50:49.439 client @0x7faf8e004a00 ::1#54175 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
09-Sep-2019 18:50:49.439 client @0x7faf8e007800 127.0.0.1#62915 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
</pre></div>
</div>
Note that this is the simplest possible configuration; specific
configurations may be different, especially for administrators who are
already using other response policy zones, or whose servers are configured
with multiple views.
</section>
</section>
</section>

</div>
 </div>
 <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
 <a href="chapter5.html" class="btn btn-neutral float-left" title="5. DNSSEC" accesskey="p" rel="prev"> Previous</a>
 <a href="chapter7.html" class="btn btn-neutral float-right" title="7. Security Configurations" accesskey="n" rel="next">Next </a>
 </div>

<hr/>

<div role="contentinfo">
 &#169; Copyright 2025, Internet Systems Consortium.
 </div>

Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
 <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
 provided by <a href="https://readthedocs.org">Read the Docs</a>.

</footer>
 </div>
 </div>
 </section>
 </div>
 <script>
 jQuery(function () {
 SphinxRtdTheme.Navigation.enable(true);
 });
 </script>

</body>
</html>

${this.title}

Code Editor : chapter6.html