Preventing external lookups
Mark
admin at asarian-host.net
Tue Nov 11 19:47:25 UTC 2003
"Barry Margolin" <barry.margolin at level3.com> wrote in message
news:erasb.458$lK3.28 at news.level3.com...
> In article <borbpm$1esj$1 at sf1.isc.org>, Mark <admin at asarian-host.net>
> wrote:
>
> > Running BIND 8.4.1, I loaded a large master zone from a DNS blocklist.
> > The result? Matches are found very fast, of course. But when BIND cannot
> > find a match, it still seems to query the root-servers, which can take
> > quite a while to return a negative response.
> >
> > So, my question is, can I prevent any external lookups for one specific
> > zone? External meaning: anything not defined in the zone file itself.
>
> If your server is master for the zone, it should never recurse for
> anything in that zone. Something else must be going on.
You know, I was wrong about the recursion. It just took an awful long time
to resolve. :) The zone I added was the blacklist for dynablock.easynet.nl;
like so:
------------------------------------
zone "dynablock.easynet.nl" {
type master;
file "dynablock.txt";
allow-query { trusted; };
};
------------------------------------
And added the dynablock.txt file. When I do a lookup on a match, it goes
like this:
------------------------------------
asarian-host: {root} % nslookup 200.151.53.64.dynablock.easynet.nl
Server: localhost
Address: 127.0.0.1
Name: dsl-cable-dhcp-dialup.ip.dynablock.easynet.nl
Address: 127.0.0.2
Aliases: 200.151.53.64.dynablock.easynet.nl
------------------------------------
For a match, I get the result back immediately, as expected. But for a
non-match, it takes forever to find it,
------------------------------------
asarian-host: {root} % nslookup 70.160.109.194.dynablock.easynet.nl
Server: localhost
Address: 127.0.0.1
*** Request to localhost timed-out
asarian-host: {root} % nslookup 70.160.109.194.dynablock.easynet.nl
Server: localhost
Address: 127.0.0.1
*** localhost can't find 70.160.109.194.dynablock.easynet.nl:
Non-existent host/domain
------------------------------------
If I examine my query-log, indeed no recursion took place:
------------------------------------
XX+/127.0.0.1/1.0.0.127.in-addr.arpa/PTR/IN
XX+/127.0.0.1/70.160.109.194.dynablock.easynet.nl/A/IN
XX+/127.0.0.1/70.160.109.194.dynablock.easynet.nl.net/A/IN
XX+/127.0.0.1/1.0.0.127.in-addr.arpa/PTR/IN
XX+/127.0.0.1/70.160.109.194.dynablock.easynet.nl/A/IN
XX+/127.0.0.1/70.160.109.194.dynablock.easynet.nl.net/A/IN
------------------------------------
So, what is taking BIND so long when it cannot find a match? I would have
expected an equally fast response for a non-match.
Thanks,
- Mark
More information about the bind-users
mailing list