No query to root-nameserver for private ips

Leopold Aichinger tux at example.com
Wed Mar 15 07:08:42 UTC 2006 

Am Tue, 14 Mar 2006 15:19:30 -0500 schrieb Kevin Darcy:

> Leopold Aichinger wrote:
> 
>>For our lan(s) we use 10.10.10.0/24, 192.168.64.0-192.168.254.0 and 172.30.0.0/24
>>Perhaps of misconfiguration sometime hosts query the internal dns
>>for ipaddresse outside this range (for example the do a reverse lookup
>>for the ip 10.1.2.3).
>>the internal dns is configured as forward first - so if the
>>dns cannot answer a query for example 10.1.2.3 (which of course the forwarders
>>cannot answer too) the internal dns will contact a root-nameserver.
>>
>>I am willing now to reduce this traffic and for doing so I generated a zone file
>>which I called notused.db:
>>-------------------
>>$ttl 7D 
>>@       IN      SOA     router1.bfi20s. administrator.bfi20s.  (
>>                                      1		 ; Serial
>>                                      10800      ; Refresh
>>                                      3600       ; Retry
>>                                      604800     ; Expire
>>                                      86400 )    ; Minimum
>>
>>              IN      NS      router1.bfi20s.
>>
>>------------------
>>Note: router1.bfi20s is the internal dns.
>>
>>
>>The interessting part for of the /etc/named.conf for this zone-file:
>>------------------
>>
>><-- snipp -->
>>	forward first;
>>	forwarders {
>>		x.x.x.x;
>>		y.y.y.y;
>>		};
>>};
>>
>>< -- snipp -- >
>>
>>zone "10.10.10.in-addr.arpa" {
>>	type master;
>>	file "10.10.10.zone";
>>};
>>
>>zone "10.in-addr.arpa" {
>>	type master;
>>	file "db.notused";
>>};
>>
>>------------------
>>
>>if I do now a:
>># dig @127.0.0.1 +trace 10.1.2.3
>>logged in on the internal dns I get the following output:
>> 
>>....................................................................................
>>; <<>> DiG 9.2.4 <<>> @127.0.0.1 +trace 10.1.2.3
>>;; global options:  printcmd
>>.			476937	IN	NS	E.ROOT-SERVERS.NET.
>>
>>< -- snipp -- >
>>
>>.	476937	IN	NS	D.ROOT-SERVERS.NET.
>>;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms
>>
>>.	86400	IN	SOA	A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2006031301 1800 900 604800 86400
>>;; Received 101 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 445 ms
>>                           ^^^^^^^^^^^^^                           ^^^^^^^
>>....................................................................................
>>          
>>How can I stop my internal dns querying the root-name server for
>>internal addresses he cannot resolve?
>>Tnanks for every idea or every hint where I can get useful knowledge!
>>
> Are you sure the zone loaded properly? You refer to the zone file as 
> notused.db in one part of your message, but the named.conf excerpt 
> specifies db.notused -- those two don't match. What happens if you do a 
> query directly of the 10.in-addr.arpa domain, e.g. for its SOA record? 
> Do you get a good response?
> 
>                                                                          
>                                                             - Kevin


Thx for reply!
This isn't the reason, but was a mistake when I posted. I change the name
of the zonefile because all my zonefile start with db. So the name in
/etc/named.conf is correct but I have renamed the real file too.
In the posting I used the wrong name.
When I restart named I find the following lines in the /var/log/messages
file:
-------------------------
Mar 15 07:39:40 router1 named[31583]: loading configuration from '/etc/named.conf'
Mar 15 07:39:40 router1 named: Starten von named succeeded
Mar 15 07:39:40 router1 named[31583]: no IPv6 interfaces found
Mar 15 07:39:40 router1 named[31583]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 15 07:39:40 router1 named[31583]: listening on IPv4 interface eth0, 172.30.0.2#53
Mar 15 07:39:40 router1 named[31583]: listening on IPv4 interface eth2, 10.10.10.11#53
Mar 15 07:39:40 router1 named[31583]: command channel listening on 127.0.0.1#953
Mar 15 07:39:40 router1 named[31583]: zone 10.in-addr.arpa/IN: loaded serial 1997022700
Mar 15 07:39:40 router1 named[31583]: zone 10.10.10.in-addr.arpa/IN: loaded serial 2004121601
Mar 15 07:39:40 router1 named[31583]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
-------------------------
so the zone gets loaded!
Whats interesting:
I have hosts in the net 10.10.10.0/24.
The zone-file for the zone 10.in-addr.arpa does not conflict with
10.10.10.in-addr.arpa.
For example the host 10.10.10.210 gets resolved.
But if I try to resolve the Ip-Adress 10.1.2.3 my dns goes outside
to a root-nameserver (what I try to change!).

How can I make my dns "a root-nameserver" for the zone 10.in-addr.arpa 
or for the zone 10.168.192.in-addr.arpa
The iana has blackhole-server who do this job - how can I now configure
my own blackhole-server for private net-addresses I don't use?


Sorry for posting all the conversation - but I cannot see my original 
post - I don't know if this happens to others too?

thx

leopold aichinger

More information about the bind-users mailing list