Blocking verisign DNS wildcards
I am happily running BIND 9.2.3rc4 on four DNS servers around the world, blocking DNS wildcards on .net and .com zones. delegation-only feature worked fine out of the box. The only tricky part of the process was installing BIND9 on FreeBSD which has bind8 installed as part of operating system.
Installation from ports tree only installs binaries and documents. So you should perform all configurations manually.
If you are running FreeBSD 4.x, you should configure the random number generator which is needed by rndc utility. I found this article very useful.
After configuring random number generator, I enabled BIND9 in rc.conf:
named_enable="YES" named_program="/usr/local/sbin/named" named_flags="-c /etc/namedb/named.conf -u bind"
In above configuration, I set bind to run as bind user which already exists in /etc/passwd by default.
Then you need to setup some permissions, because your new insallation is sandboxed and can not access whatever it wants. The first thing is the pid file which can not be created in default location (/var/run). Make a separate directory for it and apply appropriate permissions:
$ mkdir /var/run/bind $ chown bind:bind /var/run/bind
and set BIND to create pid file in new location by adding following entry to named.conf:
options {
# your configuration here.....
pid-file "/var/run/bind/named.pid";
};
the next thing to do is generating rndc authentication key and setting permission on generated key file:
$ rndc-confgen -a $ chown bind /usr/local/etc/rndc.key
now kill the running dns server (if any) and start BIND9:
$ killall named $ /usr/local/sbin/named -c /etc/namedb/named.conf -u bind
done! It should be working fine now, but I suggest checking log files before leaving your new dns server:
$ ps ax | grep -i named 18663 ?? Ss 1:27.11 /usr/local/sbin/named -c /etc/namedb/named.conf -u bind $ tail /var/log/messages Sep 26 11:20:17 pilot named[18663]: starting BIND 9.2.3rc4 -c /etc/namedb/named.conf -u bind Sep 26 11:20:17 pilot named[18663]: command channel listening on 127.0.0.1#953 Sep 26 11:20:17 pilot named[18663]: command channel listening on ::1#953
So my installation is working fine. Now enable “delegation-only” feature by adding following lines to named.conf:
logging {
category "delegation-only" { "null" ; };
};
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
That logging section, disables logging “enforced delegation-only” messages which may fillup your disk space if you are running a busy dns server.
Now reload your bind configuration using rndc to new changes take effect (if you are coming from BIND8 world, I should remind you that ndc is dead and replaced by rndc utility:
$ rndc reconfig
Now it is time to check your bind and see effect of “delegation-only” option:
$ /usr/local/bin/dig @localhost www.somethingdoesnotexists.com ; <<>> DiG 9.2.3rc4 <<>> @localhost www.somethingdoesnotexists.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25364 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.somethingdoesnotexists.com. IN A ;; Query time: 984 msec ;; SERVER: 127.0.0.1#53(localhost) ;; WHEN: Fri Sep 26 13:50:33 2003 ;; MSG SIZE rcvd: 48 $ host www.somethingdoesnotexists.com localhost Using domain server: Name: localhost Addresses: 127.0.0.1 Host not found.
Well, wildcards are dead. Now I feel better while using internet. 
And if you are curious, this is (almost) my current bind config:
options {
directory "/etc/namedb";
pid-file "/var/run/bind/named.pid";
version "Huh?";
};
logging {
category "delegation-only" { "null" ; };
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
p.s. Frankly, I am not a bind guru. Above configuration is not a secure setup. I strongly recommend reading Secure BIND Template by Team Cymru for a secure BIND setup.
Themocracy
Blocking verisign DNS wildcards
Geek Style: Blocking verisign DNS wildcards I am happily running BIND 9.2.3rc4 on four DNS servers around the world, blocking DNS wildcards on .net and .com zones. delegation-only feature worked fine out of the box. The only tricky part of the process …
We should add that in case you can’t generate a key file because of the following error:
rndc-confgen: generate key: not enough entropy
Add the command line option “-r /dev/urandom” to the rndc-confgen to tell it to use /dev/urandom.
Excellent article!
Dear sir
I have some problem by rndc-confgen .
I use rndc-confgen -a -c /usr/local/etc/rndc.key to give key but unfortunatly it give more than 10 minutes and donot send any report .