No query to root-nameserver for private ips

Kevin Darcy kcd at daimlerchrysler.com
Tue Mar 14 20:19:30 UTC 2006 

Leopold Aichinger wrote:

>For our lan(s) we use 10.10.10.0/24, 192.168.64.0-192.168.254.0 and 172.30.0.0/24
>Perhaps of misconfiguration sometime hosts query the internal dns
>for ipaddresse outside this range (for example the do a reverse lookup
>for the ip 10.1.2.3).
>the internal dns is configured as forward first - so if the
>dns cannot answer a query for example 10.1.2.3 (which of course the forwarders
>cannot answer too) the internal dns will contact a root-nameserver.
>
>I am willing now to reduce this traffic and for doing so I generated a zone file
>which I called notused.db:
>-------------------
>$ttl 7D 
>@       IN      SOA     router1.bfi20s. administrator.bfi20s.  (
>                                      1		 ; Serial
>                                      10800      ; Refresh
>                                      3600       ; Retry
>                                      604800     ; Expire
>                                      86400 )    ; Minimum
>
>              IN      NS      router1.bfi20s.
>
>------------------
>Note: router1.bfi20s is the internal dns.
>
>
>The interessting part for of the /etc/named.conf for this zone-file:
>------------------
>
><-- snipp -->
>	forward first;
>	forwarders {
>		x.x.x.x;
>		y.y.y.y;
>		};
>};
>
>< -- snipp -- >
>
>zone "10.10.10.in-addr.arpa" {
>	type master;
>	file "10.10.10.zone";
>};
>
>zone "10.in-addr.arpa" {
>	type master;
>	file "db.notused";
>};
>
>------------------
>
>if I do now a:
># dig @127.0.0.1 +trace 10.1.2.3
>logged in on the internal dns I get the following output:
> 
>....................................................................................
>; <<>> DiG 9.2.4 <<>> @127.0.0.1 +trace 10.1.2.3
>;; global options:  printcmd
>.			476937	IN	NS	E.ROOT-SERVERS.NET.
>
>< -- snipp -- >
>
>.	476937	IN	NS	D.ROOT-SERVERS.NET.
>;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms
>
>.	86400	IN	SOA	A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2006031301 1800 900 604800 86400
>;; Received 101 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 445 ms
>                           ^^^^^^^^^^^^^                           ^^^^^^^
>....................................................................................
>          
>How can I stop my internal dns querying the root-name server for
>internal addresses he cannot resolve?
>Tnanks for every idea or every hint where I can get useful knowledge!
>
Are you sure the zone loaded properly? You refer to the zone file as 
notused.db in one part of your message, but the named.conf excerpt 
specifies db.notused -- those two don't match. What happens if you do a 
query directly of the 10.in-addr.arpa domain, e.g. for its SOA record? 
Do you get a good response?

                                                                         
                                                            - Kevin

More information about the bind-users mailing list