Never recurse for unknown intern addresses ?

Runu Knips runu.knips.NOSPAM at DELETEgmx.de
Wed Mar 22 08:02:49 UTC 2000 

Joseph S D Yao wrote:
> On Thu, Mar 09, 2000 at 09:01:27AM +0100, Runu Knips wrote:
> > We have an intern network with a modem connection to the provider.
> > Our firewall runs bind 8.2.2pl5 under linux.
> >
> > We would like to specify to bind that it should answer ALL requests
> > for intern addresses WITHOUT asking the nameserver at our provider
> > for it. Especially it should NOT ask the nameserver at our provider
> > for addresses which (a) don't contain any dot OR (b) are in the
> > domain, AND are unknown. Bind should simply say that they don't
> > exist, and quit further processing.
> 
> If you declare on your local server that it is authoritative for a
> given domain, then it will NEVER ask ANY OTHER server for names in that
> domain.  If it doesn't know them, they are unknown.  This is the
> meaning of "authoritative".
> 
> If this conflicts with another, different "authoritative" name server
> for the same domain, obviously you should be using different domains.
> Perhaps one could be a subdomain of the other.
> 
> Your resolver is what programs use to resolve names, though.  Your
> resolver is different from your server!  Your resolver is configured in
> /etc/resolv.conf.  If you ONLY put your name server in there, then all
> queries will be done first to your name server [and the above scheme
> will work].  If you ONLY put your domain in there, and no search path,
> then it will only try to resolve dotless names as nameDOTyourdomain.
> 
> SO - BIND already does what you want, it would appear.  Have you been
> having problems?
> 
> Please note that the name server WILL query to the Internet [but not
> necessarily to your ISP, unless you have forwarded it that way] (a)
> when it starts, to verify the root servers; and (b) when it tries to
> resolve a name that it does not know.

Thank you for your answer. Somehow I really had problems to post here
and have already given up... finally one of my postings appeared anyway.
Well the thing is, bind really can't do what we want it to do. If it
knows the zone ".freezer" and someone types "mulk" where he actually
meant "milk", bind will get a request for "mulk" and then for
"mulk.freezer". Same with "mulk.freezer" -> bind gets "mulk.freezer"
and "mulk.freezer.freezer". In any case, it always consults its
forwarders (or the top level nameservers, depending upon your actual
name server configuration).

Btw, /etc/resolv.conf only works for local programs started on the
server machine itself (most of the clients are windows machines and
need to be configured with the graphical interface).

More information about the bind-users mailing list