Forum Discussion

MW1's avatar
Icon for Cirrus rankCirrus
Sep 27, 2011

GTM - anyway to add include file command in the bind config?



I was looking in to dual purposing our GTM's to also act as a DNS sinkhole for my company. To do this I want to maintain another file on the GTM's which contain the list of malware domains to blackhole.



This is done by adding the following line to the named.conf :



include "/config/namedb/malwaredomains.zones";




Everything works fine and bind on the GTM's accept the config when manually edited, however if I add this in via the webgui it causes zonerunner to error. If I try to access zonerunner after manually editing the bind (stopping zonerunner, editing manually, checking the config and then reloading bind, and starting zonerunner) I get :



01020005:3: The requested operation is not implemented yet.



The GTM still responds fine to DNS lookups and blackholes the included file domains as expected but the GUI is broken.



Does anyone have any experience of including files in the bind config on a GTM, or any thoughts how I might be able to achieve what I'm after without losing the zonerunner gui as I have some team members that do not like the command line/vi edits?





Edit - as is always the way I find the fix after posting.



[Global Traffic Manager] Changes in zone files on redundant system configuration are not saved correctly (CR85597)


Occasionally, modifying a zone file on one Global Traffic Manager in a redundant system configuration results in the system displaying the error message: 01020005:3: The requested operation is not implemented yet. To resolve this issue, modify the INI file in usr/local/bin/sync_zones to ensure the rsync operations uses the -u option.





4 Replies

  • Hi MW,



    I was looking for a way to implement this DNS blackhole solution for GTM and came across this topic, care to share how do you achieve this?



    As in after adding the line " include "/config/namedb/malwaredomains.zones"; " into the named.conf file, what further actions to take to tell GTM to actually blackholes the zones in that file?



    thanks in advance!
  • In the /config/namedb/malwaredomains.zones file the domain entries are like this below example:



    zone "" {type master; file "/etc/namedb/blockeddomain.hosts"; };



    the /etc/namedb/blockeddomain.hosts file is the same for each blackholed domain. It is this that then contains the IP etc it will resolve to. Here is the content of mine (anonymised) - the is where all blackholed requests get resolved to:



    ; This zone will redirect all requests back to the blackhole itself.



    $TTL 3600 ; one day



    @ IN SOA (




    3600 ; refresh 8 hours


    3600 ; retry 2 hours


    3600 ; expire 10 days


    3600 ) ; min ttl 1 day










    * IN A





    I recommend checking out:




    and the SANS/dshield






    To be honest I had meant to extract the sans script for pulling the list of in to the right format for bind as my multiple uses of sed is very painful. If you use wget to pull the list from the sites you may need to spoof the user agent as some of the sites block wget/curl



    Hope the above helps



  • Hi Matt,



    Thanks for the solution, will try that out..



    Appreciate your explanation!