Using the GeoIP Features
  • 22 May 2020
  • 2 Minutes to read
  • Contributors
  • PDF

Using the GeoIP Features

  • PDF

Article summary

BIND 9 access control lists are used to limit access to various server functions according to the IP address of the requestor of that access. BIND 9.10 is able to use data from MaxMind GeoIP databases to achieve restrictions based on the (presumed) geographic location of that address. The ACL itself is still address-based, but the GeoIP-based specification mechanisms can easily populate an ACL with addresses in a certain geographic location. This capability was derived from code contributed by Ken Brownfield. An interesting use of geographic ACLs is to offer different BIND Views to clients in different geographic locations.

BIND 9.10's GeoIP features work by allowing you to create ACL elements that evaluate based on the location information for the client's IP address.  This uses the API provided by MaxMind® to query their GeoIP database but should work with any database in a compatible format.

The primary intended purpose for the GeoIP feature is to permit the creation of answer sets specific to geographic regions, in order to connect clients with local services. This can result in improved response time for the client and a reduction in long-haul network traffic.

In order to use the GeoIP features, BIND must be built with GeoIP support. In BIND 9.16 and higher, this is done by using --with-maxminddb (which is enabled by default) in the configure step of the build process. Older versions of BIND used --with-geoip, which was not enabled by default.

Without GeoIP in the build configuration, BIND will not recognize the named.conf GeoIP extensions or be able to perform any GeoIP lookups.

When built with GeoIP, named.conf supports the "geoip-directory" option.

options {
     geoip-directory "/path/to/geoip/database";
};

ACLs can perform GeoIP lookup tests using the client IP address. Many different types of GeoIP lookups can be performed. For more detailed information about what is supported, see chapter 6 of the ARM that came with your BIND distribution.

acl "example" {
     geoip country US;
     geoip region CA;
     geoip city "Redwood City"; /* names, etc., must be quoted if they contain spaces */
};

(Note that ACLs are processed on a first-match basis, so that the example above matches all of the US, not just Redwood City. Users who wish to use GeoIP elements additively may wish to consult Using Access Control Lists (ACLs) with both addresses and keys for information on how to construct complex ACLs.)

While GeoIP elements can be used in any ACL, the most common place to use them is in match-clients statements in views, in order to route clients to the view with the answers selected for their location.

options {
     geoip-directory "/path/to/geoip/database";
};

acl "unitedstates" {
     geoip country US;
};

view "unitedstates" {
     match-clients { unitedstates; };
     zone "isc.org" {
        file "locals/db.isc.org";
        type master;  
     };
};

view "default" {
     zone "isc.org" {
        file "nonlocals/db.isc.org";
        type master;
     };
};