Never recurse for unknown intern addresses ?

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Wed Mar 22 22:09:29 UTC 2000 

> Joseph S D Yao wrote:
> > On Thu, Mar 09, 2000 at 09:01:27AM +0100, Runu Knips wrote:
> > > We have an intern network with a modem connection to the provider.
> > > Our firewall runs bind 8.2.2pl5 under linux.
> > >
> > > We would like to specify to bind that it should answer ALL requests
> > > for intern addresses WITHOUT asking the nameserver at our provider
> > > for it. Especially it should NOT ask the nameserver at our provider
> > > for addresses which (a) don't contain any dot OR (b) are in the
> > > domain, AND are unknown. Bind should simply say that they don't
> > > exist, and quit further processing.
> > 
> > If you declare on your local server that it is authoritative for a
> > given domain, then it will NEVER ask ANY OTHER server for names in that
> > domain.  If it doesn't know them, they are unknown.  This is the
> > meaning of "authoritative".
> > 
> > If this conflicts with another, different "authoritative" name server
> > for the same domain, obviously you should be using different domains.
> > Perhaps one could be a subdomain of the other.
> > 
> > Your resolver is what programs use to resolve names, though.  Your
> > resolver is different from your server!  Your resolver is configured in
> > /etc/resolv.conf.  If you ONLY put your name server in there, then all
> > queries will be done first to your name server [and the above scheme
> > will work].  If you ONLY put your domain in there, and no search path,
> > then it will only try to resolve dotless names as nameDOTyourdomain.
> > 
> > SO - BIND already does what you want, it would appear.  Have you been
> > having problems?
> > 
> > Please note that the name server WILL query to the Internet [but not
> > necessarily to your ISP, unless you have forwarded it that way] (a)
> > when it starts, to verify the root servers; and (b) when it tries to
> > resolve a name that it does not know.
> 
> Thank you for your answer. Somehow I really had problems to post here
> and have already given up... finally one of my postings appeared anyway.
> Well the thing is, bind really can't do what we want it to do. If it
> knows the zone ".freezer" and someone types "mulk" where he actually
> meant "milk", bind will get a request for "mulk" and then for
> "mulk.freezer". Same with "mulk.freezer" -> bind gets "mulk.freezer"
> and "mulk.freezer.freezer". In any case, it always consults its
> forwarders (or the top level nameservers, depending upon your actual
> name server configuration).

	Both of these would be answered with NXDOMAIN by the server
	without consulting the forwarders.  A query for "mulk" however
	would go out if the client also requested the unqualified name.

	You haven't said whether the default domain is two or three
	plus label long.  If it's the latter the default resolver
	search list, of old resolvers, would be:

		label1.label2.label3
		label2.label3
	
	You can use the search directive to override this.
> 
> Btw, /etc/resolv.conf only works for local programs started on the
> server machine itself (most of the clients are windows machines and
> need to be configured with the graphical interface).

	But they have equivalent mechanisms.

	Mark
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list