Negative zones; NXDOMAIN responses
Carlos M. Martinez
carlosm3011 at gmail.com
Mon May 20 10:20:20 UTC 2013
You need the soa record. It has to be empty but not THAT empty :-)
Sent from my iPad
On 20 May 2013, at 04:51, Narcis Garcia <informatica at actiu.net> wrote:
> - Yes, I thought about not using DNS from the same internet provider,
> but wanted to know if there is a way to patch only the .local response.
>
> - This is the configuration I use in one of the LANs:
>
> view "local-nets" {
> match-clients { acl_local-nets; };
> recursion yes;
> forwarders {
> 62.151.2.8;
> };
> include "/etc/bind/named.conf.default-zones";
> }
>
> - These are the tests to be done from a client:
> $ host -t SOA local.
> $ host -t SOA local. 62.151.2.8
>
> - I've tried to create an empty zone, or lacking of A or SOA records,
> but then BIND9 doesn't load it:
> zone local/IN: has 0 SOA records
> zone local/IN: has no NS records
> zone local/IN: not loaded due to errors.
>
> - I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
> to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
> But I'm not sure if it's useful for SOA records.
>
>
> Al 20/05/13 09:00, En/na Matus UHLAR - fantomas ha escrit:
>>>> On 19 May 2013 20:51, Narcis Garcia <informatica at actiu.net> wrote:
>>>>> The internet ISP returns positive values for .local
>>>>> queries, and I need that LAN clients receive NXDOMAIN instead.
>>
>> do they return positive answers for any non-existing domains?
>> (is this one of ISPs wanting to make money on mistypes and ling to the
>> people?)
>> On 19.05.13 21:26, Steven Carr wrote:
>>> But in response to the actual question... what you want to do is not
>>> possible in BIND zone configs as you can't create a negative zone
>>> (that I'm aware of).
>>
>> He can create empty .local zone that will return NXDOMAIN for everything.
>>
>>> On 19 May 2013 21:22, Steven Carr <sjcarr at gmail.com> wrote:
>>>> Why are you forwarding queries to the ISP? Implement your own caching
>>>> layer, I for one would never use/trust an ISPs caching servers. If I
>>>> want to resolve a domain I go direct to the source, not via a 3rd
>>>> party.
>>
>> This is the real solution. You should not use services broken like this of
>> any ISP. I'd even recommend not to use ANY services of such ISPs.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list