Stop leaking queries for RFC 1918 zones

Mark Andrews marka at isc.org
Fri Sep 22 20:11:27 UTC 2023 

The option is enabled by default however if you forward all queries then the automatic zones won’t be created and the forwarder is responsible for filtering. This is done like this because lots of people use forwarding to get to the internal servers that serve these zones. 

Just create empty zones in named.conf. If the automatic creation doesn’t work with the rest of your configuration.

The log messages are there to tell you that queries are still leaking. 

Given your other questions about 10.in-addr.arpa I would really set it up and delegate based on which address blocks are assigned to whom.  Allow the zone to be transferred to any 10.0.0.0/8 address by default. Add in other server address or TSIG keys as different departments request access to it.  Start with an empty zone and delegations for the addresses you are using yourself and build up from there.  Turn off forwarding in this zone’s configuration by using an empty forwarders clause ( forwarders { /* empty */ }; ). 

I know you said this was a lost cause but it doesn’t have to be 100% perfect. It can be built up over time.

-- 
Mark Andrews

> On 23 Sep 2023, at 02:45, John Thurston <john.thurston at alaska.gov> wrote:
> 
> 
> The global/view option
> 
> empty-zones-enable yes; 
> 
> isn't behaving as I expected. 
> 
> I had expected that it would cause empty "RFC 1918" zones to be created for those zones for which there were not local zones defined. That is, if there were no local zones of this type defined, it would create all the required empty zones. But if 10.in-addr.arpa was defined locally, it would skip that but define the rest of them.
> 
> After looking at my logs, and seeing that I'm leaking RFC 1918 queries, I see my expectations were wrong.
> 
> Is explicitly defining the remaining empty zones the best way to correct this?
> 
> Or maybe add the un-used RFC 1918 zones to our RPZ?
> 
> -- 
> --
> Do things because you should, not just because you can. 
> 
> John Thurston    907-465-8591
> John.Thurston at alaska.gov
> Department of Administration
> State of Alaska
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230923/f17c9ee6/attachment.htm>

More information about the bind-users mailing list