Discussion:
Disable Root Hints
Eric Reischer
2008-10-23 19:33:08 UTC
Permalink
Greetings all. I have a private network that is not (and will not ever
be) connected to the Internet, but I want to set up an internal DNS
server to help navigating between machines. I've successfully set up my
domain (foo.com, let's say) root file and the server is answering
queries to it dutifully, but I want to disable fallover to the
root-servers in the event the local server cannot resolve a name (since
they'll never be reachable). However it seems that newer versions of
BIND9 actually have the root servers primed in the program at
compile-time, irrespective of the root hints file.

My question is, will it be sufficient to create a new root hints file
that has [A-M].ROOT-SERVERS.NET all defined as 192.168.0.2 (my BIND9
server's address), or will some other method be more prudent? Will this
create a circular reference? My goal is to have the server return an
NXDOMAIN rather than a SERVFAIL on a query to a host that isn't in the
local table. The other thought I had was to create zone files for
"com", "net", "edu", etc, and have them all empty.

Thanks.
Florian Weimer
2008-10-23 19:40:30 UTC
Permalink
Post by Eric Reischer
My question is, will it be sufficient to create a new root hints file
that has [A-M].ROOT-SERVERS.NET all defined as 192.168.0.2 (my BIND9
server's address), or will some other method be more prudent? Will this
create a circular reference? My goal is to have the server return an
NXDOMAIN rather than a SERVFAIL on a query to a host that isn't in the
local table. The other thought I had was to create zone files for
"com", "net", "edu", etc, and have them all empty.
You could disable recursion altogether and just serve your local zones
authoritatively.
Chris Buxton
2008-10-23 20:14:50 UTC
Permalink
Post by Eric Reischer
Greetings all. I have a private network that is not (and will not ever
be) connected to the Internet, but I want to set up an internal DNS
server to help navigating between machines. I've successfully set up my
domain (foo.com, let's say) root file and the server is answering
queries to it dutifully, but I want to disable fallover to the
root-servers in the event the local server cannot resolve a name (since
they'll never be reachable). However it seems that newer versions of
BIND9 actually have the root servers primed in the program at
compile-time, irrespective of the root hints file.
My question is, will it be sufficient to create a new root hints file
that has [A-M].ROOT-SERVERS.NET all defined as 192.168.0.2 (my BIND9
server's address), or will some other method be more prudent? Will this
create a circular reference? My goal is to have the server return an
NXDOMAIN rather than a SERVFAIL on a query to a host that isn't in the
local table. The other thought I had was to create zone files for
"com", "net", "edu", etc, and have them all empty.
Thanks.
Set up a private root zone. There is no need to list all of the names
of the public root servers. Just create a root zone that delegates
your private domain name, like this:

$TTL 1d
. SOA [put the 7 SOA data fields here]
NS your.server.foo.com.
foo.com. NS your.server.foo.com.

Chris Buxton
Professional Services
Men & Mice
blrmaani
2008-10-27 16:13:32 UTC
Permalink
I guess forwarding queries in root zone (.) also work. But I don't
know if this causes any other side effects.

// Recursion should be enabled before adding the block below:

zone "." {
type forward;
forward only;
forwarders { <your internal ips>; };
};

cheers
Blr
Greetings all.  I have a private network that is not (and will not  
ever
be) connected to the Internet, but I want to set up an internal DNS
server to help navigating between machines.  I've successfully set  
up my
domain (foo.com, let's say) root file and the server is answering
queries to it dutifully, but I want to disable fallover to the
root-servers in the event the local server cannot resolve a name  
(since
they'll never be reachable).  However it seems that newer versions of
BIND9 actually have the root servers primed in the program at
compile-time, irrespective of the root hints file.
My question is, will it be sufficient to create a new root hints file
that has [A-M].ROOT-SERVERS.NET all defined as 192.168.0.2 (my BIND9
server's address), or will some other method be more prudent?  Will  
this
create a circular reference?  My goal is to have the server return an
NXDOMAIN rather than a SERVFAIL on a query to a host that isn't in the
local table.  The other thought I had was to create zone files for
"com", "net", "edu", etc, and have them all empty.
Thanks.
Set up a private root zone. There is no need to list all of the names  
of the public root servers. Just create a root zone that delegates  
$TTL 1d
.  SOA  [put the 7 SOA data fields here]
    NS   your.server.foo.com.
foo.com.  NS  your.server.foo.com.
Chris Buxton
Professional Services
Men & Mice- Hide quoted text -
- Show quoted text -
Barry Margolin
2008-10-28 00:24:42 UTC
Permalink
Post by blrmaani
I guess forwarding queries in root zone (.) also work. But I don't
know if this causes any other side effects.
zone "." {
type forward;
forward only;
forwarders { <your internal ips>; };
};
Isn't this equivalent to configuring forwarding in the options section?
Post by blrmaani
cheers
Blr
Post by Chris Buxton
Post by Eric Reischer
Greetings all. I have a private network that is not (and will not ever
be) connected to the Internet, but I want to set up an internal DNS
server to help navigating between machines. I've successfully set up my
domain (foo.com, let's say) root file and the server is answering
queries to it dutifully, but I want to disable fallover to the
root-servers in the event the local server cannot resolve a name (since
they'll never be reachable). However it seems that newer versions of
BIND9 actually have the root servers primed in the program at
compile-time, irrespective of the root hints file.
My question is, will it be sufficient to create a new root hints file
that has [A-M].ROOT-SERVERS.NET all defined as 192.168.0.2 (my BIND9
server's address), or will some other method be more prudent? Will this
create a circular reference? My goal is to have the server return an
NXDOMAIN rather than a SERVFAIL on a query to a host that isn't in the
local table. The other thought I had was to create zone files for
"com", "net", "edu", etc, and have them all empty.
Thanks.
Set up a private root zone. There is no need to list all of the names
of the public root servers. Just create a root zone that delegates
$TTL 1d
. SOA [put the 7 SOA data fields here]
NS your.server.foo.com.
foo.com. NS your.server.foo.com.
Chris Buxton
Professional Services
Men & Mice- Hide quoted text -
- Show quoted text -
--
Barry Margolin, ***@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
Chris Buxton
2008-10-28 04:39:05 UTC
Permalink
Post by Barry Margolin
Post by blrmaani
I guess forwarding queries in root zone (.) also work. But I don't
know if this causes any other side effects.
zone "." {
type forward;
forward only;
forwarders { <your internal ips>; };
};
Isn't this equivalent to configuring forwarding in the options
section?
Yes it is.

Chris Buxton
Professional Services
Men & Mice
D. Stussy
2008-10-28 21:28:36 UTC
Permalink
Post by Barry Margolin
Post by blrmaani
I guess forwarding queries in root zone (.) also work. But I don't
know if this causes any other side effects.
zone "." {
type forward;
forward only;
forwarders { <your internal ips>; };
};
Isn't this equivalent to configuring forwarding in the options section?
Technically no. It will direct queries that start from the top-down, but
will not direct queries to the forwarders for any other specifically defined
zone. So what's the difference? Stub zones. I assume that master and
slave zones would be answered directly.

Loading...