Overriding external domains DNS Bind9’s Response Policy Zone on your pfSense

Posted on by Thiago Crepaldi

Last Updated on December 30, 2024 by Thiago Crepaldi

On a previous post, we’ve discussed how to use Bind9 on your pfSense in a way that external names were forwarded to name servers while internal names were statically resolved by Bind. In this post, we are going to discuss how to override the IPs returned by external name servers with IPs of our choosing. As an example, assume you want to make www.disney.com to resolve to 192.168.0.666!

You could do this by changing the hosts file on each machine, but this would hardly scale. Since BIND 9.8.1, the concept of Response Policy Zone was created for this purpose and we are going to demonstrate how it works.

pfBlockerNG depends on Unbound, so don’t replace it with Bind if you still want to block stuff with it.

First, I am assuming you have a working bind9 on your pfSense. Next, go to Service >> BIND DNS Server >> Zones and click on Add:

  • Zone
    • Domain Zone Configuration
      • Disable this zone: Unchecked
      • Zone name: response-policy-zone
      • Description: Trusted Forward zone for public overridden DNS records
      • Zone Type: Master
      • View: Trusted-View
      • Reverse zone: Unchecked
      • IPv6 Reverse Zone: Unchecked
      • Response Policy Zone: Checked
      • Custom option: leave blank
    • DNSSEC
      • Inline signing: Unchecked
    • Master Zone Configuration
      • TTL: 86400
      • Nameserver: localhost
      • Base domain IP: 127.0.0.1
      • Mail Admin Zone: root@localhost or a real email
      • Serial: 1 or something like YYYYMMDDxx (e.g. 2023031701)
      • Refresh: 1d
      • Retry: 2h
      • Expire: 4w
      • Minimum: 1h
      • allow-update: None
      • Enable update-policy: Unchecked
      • allow-query: Trusted-ACL
      • allow-transfer: None
    • Zone Domain Records:
      • Add an entry
        • Record: disney.com
        • Type: A
        • Priority: leave blank
        • Alias or IP address: 192.168.0.666
      • Register DHCP Static Mappings: Unchecked
    • Custom Zone Domain Records:
      • leave empty

Click on Save and you are done. If you need more overrides, just add them to the Zone Domain Records section above

Have fun!

1 thought on “Overriding external domains DNS Bind9’s Response Policy Zone on your pfSense

  1. HI, Thanks for it.
    But I am having this problem:

    /etc/namedb/master/Trusted-View/response-policy-zone.DB:21: ignoring out-of-zone data (disney.com)

    What could it be?

    Reply

Leave a Reply