Private DNS

[Jim Reid]

>>>>> "Mark" == Mark Goldie <merk at zfree.co.nz> writes:

    Mark> Apologies if this question has been asked before, I have
    Mark> named 8.2.2-P5 and what I want to do is run a private DNS
    Mark> server which still forwards out to the main one.

    Mark> I have that situation at the moment except it tries to
    Mark> contact root servers (which I see in the firewall logs) How
    Mark> can I avoid it trying to propagate itself?

I think you might misunderstand what's happening. Except for some
special cases, every name server has to contact the root servers when
it starts. This is not done so the server "propagates itself". It's
done so the server can find out the names and addresses of the root
servers. Once a name server has that information, it can be used to
traverse the DNS name space: for example to find the .com servers or
even the name servers for zfree.co.nz.

If you don't want your name server to ever query the root servers,
your best bet is to configure it as a forwarding-only server. ie It
stupidly sends every query it gets to some other name server that is
allowed to query other name servers. This works but is not ideal: why
not get those queries to just go directly to that other server? Your
forwarding server is utterly dependent on the server(s) it forwards
to, even though it is otherwise perfectly capable of acting
autonomously and resolving things for itself. Aside from the single
point of failure, this is a bit like deciding the only possible way to
get from New Zealand to California is to swim. Via the Suez and Panama
canals. Sometimes these setups are needed however. Sigh. For instance
because internal name servers live on RFC1918 nets that cannot reach
or be reached from the internet.