Ok, this sounds a bit odd, I'm not sure why you are trying to do this, but anyway, you may be able to do it using a view with a match-clients list of 10.120.0.0/26. That's the first part of the equation, but you need to figure out what happens if any other clients query this DNS server, because you may or may not need to configure a second view to catch everything else (else you will end up breaking resolution for all other clients).

Inside this view, you could have one zone defined for the web server name you are trying to resolve. The IP address you mention appears to be part of AWS:

>dig -x 54.77.70.213 +short
ec2-54-77-70-213.eu-west-1.compute.amazonaws.com.

So you could either create an authoritative zone for "eu-west-1.compute.amazonaws.com" that just contains this single host entry, or you could create a forwarding zone and forward the query to the AWS name servers.

If you also add a root zone (.) into this view then the server will not try and answer queries for anything else, it will just reply with NXDOMAIN.

This should do what you want.

Regards,

Paul

Hi Paul Roberts,

Thanks for the answer.

I tested in my lab and it looks like OK.
I created a new View "Paulo_Test_View" and inside a "eu-west-1.compute.amazonaws.com" zone with host record "ec2-54-77-70-213 Host 54.77.70.213". Confirm please if it is correct.
 
But I have some doubts:

1) When creating the View, is necessary or not to "Enable Recursion" for this case?
2) Within the View test when I added a root zone (.), the "eu-west-1.compute.amazonaws.com" zone disappeared inside the view. Is this behavior normal??

Regards,
Paulo Fragoso

1) It depends what you want to do, dont enable recursion unless you need to

2) That's correct, you can either drill down through the root zone or toggle the flat/hierarchical view

Hi Paul,

Thanks for your feedback.

I made the configuration as recommended but it is not working. It is possible to open any website, which was not expected.

Maybe something is missing in the configuration to make it work.

If you have any other opinion or suggestion it will be very appreciated.

Regards,

Paulo Fragoso

View your DNS configuration and cut and paste it here - I'll take a look.

Sorry I was actually after the named.conf file, which you can get by viewing the DNS configuration.

Hi Paul,

As requested below:

# Test_View
view "6" { # Test_View
match-clients { key DHCP_UPDATER6; !all_dns_views_updater_keys; 10.144.8.32/28; 10.144.10.32/28; };
match-destinations { any; };
recursion yes;
additional-from-cache yes;
infoblox-blacklist-redirect { 41.78.18.146; }; # configuration digest {12da497d2123bbb79ab20e2d532c92f}
lame-ttl 600;
max-cache-ttl 604800;
max-ncache-ttl 10800;
dnssec-enable yes;
dnssec-validation yes;
dnssec-accept-expired no;
filter-aaaa-on-v4 no;
zone "." in {
type hint;
file "named.cache.6";
};
zone "0.0.127.in-addr.arpa" in {
type master;
database infoblox_zdb;
masterfile-format raw;
file "azd/db.0.0.127.in-addr.arpa.6";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in {
type master;
database infoblox_zdb;
masterfile-format raw;
file "azd/db.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.6";
};
zone "eu-west-1.compute.amazonaws.com" in { # eu-west-1.compute.amazonaws.com
type master;
database infoblox_zdb;
infoblox-multi-master automatic;
masterfile-format raw;
file "azd/db.eu-west-1.compute.amazonaws.com.6";
notify yes;
};
};

# Zone OID composite: 290799

Regards,

Paulo Fragoso

Hi ,

This has recursion enabled and is expected to resolve all the domains. You may turn off recursion and only records defined in will eu-west-1.compute.amazonaws.com will get answered and all other queries will get a REFUSED response.

Another caveat to this method is that you will get a REFUSED for a query that has a CNAME(if at all there are any) to the eu-west-1.compute.amazonaws.com. and may have to add the once someone reports.

Do you have an RPZ license for this DNS member that is handling this, if so you could try to achieve this using a combination of Block IP address/network in RPZ and a passthrough IP address.

The method that employes the RPZ member is more resources as it checks all the queries.

Hope this helps.

Regards,

Syam.

Sorry for the tardy response, your root zone is using hints (the default)...

zone "." in {
type hint;
file "named.cache.6";
};

If you define the root zone "." in Infoblox and assign a primary name server to it you will answer everything else as NXDOMAIN.

I made the configuration as recommended but it is not working. It is possible to open any website, which was not expected.