• Share
  • Dark

Using the GeoIP Features in BIND 9.10

  • Updated on 22 Apr 2014
  • 2 minutes to read
  • Contributors 

BIND 9 access control lists are used to limit access to various server functions according to the IP address of the requestor of that access.  BIND 9.10 is able to use data from MaxMind GeoIP databases to achieve restrictions based on the (presumed) geographic location of that address. The ACL itself is still address-based, but the GeoIP-based specification mechanisms can easily populate an ACL with addresses in a certain geographic location. This capability was derived from code contributed by Ken Brownfield. An interesting use of geographic ACLs is to offer different BIND Views to clients in different geographic locations.

BIND 9.10's GeoIP features work by allowing you to create ACL elements that evaluate based on the location information for the client's IP address.  This uses the API provided by MaxMind® to query their GeoIP database but should work with any database in a compatible format.

The primary intended purpose for the GeoIP feature is to permit the creation of answer sets specific to geographic regions, in order to connect clients with local services.  This can result in improved response time for the client and a reduction in long-haul network traffic.

In order to use the GeoIP features, BIND must be built with GeoIP support by using '--with-geoip' in the configure step of the build process .  Without this build configuration BIND will not recognize the named.conf GeoIP extensions or be able to perform any GeoIP lookups.

When built with GeoIP, named.conf supports the "geoip-directory" option.

options {    geoip-directory "/path/to/geoip/database";};

ACLs can  perform GeoIP lookup tests using the client IP address.  Many different types of GeoIP lookups can be performed.  For more detailed information about what is supported see chapter 6 of theARM that came with yourBIND distribution.

acl "example" {  geoip country US;  geoip region CA;  geoip city "Redwood City"; /* names, etc., must be quoted if they contain spaces */};

While these can be used in any ACLs, the most common place to use them is in the match statements on views in order to route clients to the view with the answers selected for their location.

options {    geoip-directory "/path/to/geoip/database";};acl "redwoodcity" {  geoip country US;  geoip region CA;  geoip city "Redwood City"; /* names, etc., must be quoted if they contain spaces */};view "redwoodcity" {  match-clients { redwoodcity; };  zone "isc.org" {    file "locals/db.isc.org";    type master;  };};view "default" {  zone "isc.org" {    file "nonlocals/db.isc.org";    type master;  };};

© 2001-2018 Internet Systems Consortium For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership. ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Problems with this site? Email us at marketing@isc.org