No query to root-nameserver for private ips
Kevin Darcy
kcd at daimlerchrysler.com
Tue Mar 14 20:19:30 UTC 2006
Leopold Aichinger wrote:
>For our lan(s) we use 10.10.10.0/24, 192.168.64.0-192.168.254.0 and 172.30.0.0/24
>Perhaps of misconfiguration sometime hosts query the internal dns
>for ipaddresse outside this range (for example the do a reverse lookup
>for the ip 10.1.2.3).
>the internal dns is configured as forward first - so if the
>dns cannot answer a query for example 10.1.2.3 (which of course the forwarders
>cannot answer too) the internal dns will contact a root-nameserver.
>
>I am willing now to reduce this traffic and for doing so I generated a zone file
>which I called notused.db:
>-------------------
>$ttl 7D
>@ IN SOA router1.bfi20s. administrator.bfi20s. (
> 1 ; Serial
> 10800 ; Refresh
> 3600 ; Retry
> 604800 ; Expire
> 86400 ) ; Minimum
>
> IN NS router1.bfi20s.
>
>------------------
>Note: router1.bfi20s is the internal dns.
>
>
>The interessting part for of the /etc/named.conf for this zone-file:
>------------------
>
><-- snipp -->
> forward first;
> forwarders {
> x.x.x.x;
> y.y.y.y;
> };
>};
>
>< -- snipp -- >
>
>zone "10.10.10.in-addr.arpa" {
> type master;
> file "10.10.10.zone";
>};
>
>zone "10.in-addr.arpa" {
> type master;
> file "db.notused";
>};
>
>------------------
>
>if I do now a:
># dig @127.0.0.1 +trace 10.1.2.3
>logged in on the internal dns I get the following output:
>
>....................................................................................
>; <<>> DiG 9.2.4 <<>> @127.0.0.1 +trace 10.1.2.3
>;; global options: printcmd
>. 476937 IN NS E.ROOT-SERVERS.NET.
>
>< -- snipp -- >
>
>. 476937 IN NS D.ROOT-SERVERS.NET.
>;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms
>
>. 86400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2006031301 1800 900 604800 86400
>;; Received 101 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 445 ms
> ^^^^^^^^^^^^^ ^^^^^^^
>....................................................................................
>
>How can I stop my internal dns querying the root-name server for
>internal addresses he cannot resolve?
>Tnanks for every idea or every hint where I can get useful knowledge!
>
Are you sure the zone loaded properly? You refer to the zone file as
notused.db in one part of your message, but the named.conf excerpt
specifies db.notused -- those two don't match. What happens if you do a
query directly of the 10.in-addr.arpa domain, e.g. for its SOA record?
Do you get a good response?
- Kevin
More information about the bind-users
mailing list