No query to root-nameserver for private ips
Leopold Aichinger
tux at example.com
Wed Mar 15 07:08:42 UTC 2006
Am Tue, 14 Mar 2006 15:19:30 -0500 schrieb Kevin Darcy:
> Leopold Aichinger wrote:
>
>>For our lan(s) we use 10.10.10.0/24, 192.168.64.0-192.168.254.0 and 172.30.0.0/24
>>Perhaps of misconfiguration sometime hosts query the internal dns
>>for ipaddresse outside this range (for example the do a reverse lookup
>>for the ip 10.1.2.3).
>>the internal dns is configured as forward first - so if the
>>dns cannot answer a query for example 10.1.2.3 (which of course the forwarders
>>cannot answer too) the internal dns will contact a root-nameserver.
>>
>>I am willing now to reduce this traffic and for doing so I generated a zone file
>>which I called notused.db:
>>-------------------
>>$ttl 7D
>>@ IN SOA router1.bfi20s. administrator.bfi20s. (
>> 1 ; Serial
>> 10800 ; Refresh
>> 3600 ; Retry
>> 604800 ; Expire
>> 86400 ) ; Minimum
>>
>> IN NS router1.bfi20s.
>>
>>------------------
>>Note: router1.bfi20s is the internal dns.
>>
>>
>>The interessting part for of the /etc/named.conf for this zone-file:
>>------------------
>>
>><-- snipp -->
>> forward first;
>> forwarders {
>> x.x.x.x;
>> y.y.y.y;
>> };
>>};
>>
>>< -- snipp -- >
>>
>>zone "10.10.10.in-addr.arpa" {
>> type master;
>> file "10.10.10.zone";
>>};
>>
>>zone "10.in-addr.arpa" {
>> type master;
>> file "db.notused";
>>};
>>
>>------------------
>>
>>if I do now a:
>># dig @127.0.0.1 +trace 10.1.2.3
>>logged in on the internal dns I get the following output:
>>
>>....................................................................................
>>; <<>> DiG 9.2.4 <<>> @127.0.0.1 +trace 10.1.2.3
>>;; global options: printcmd
>>. 476937 IN NS E.ROOT-SERVERS.NET.
>>
>>< -- snipp -- >
>>
>>. 476937 IN NS D.ROOT-SERVERS.NET.
>>;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms
>>
>>. 86400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2006031301 1800 900 604800 86400
>>;; Received 101 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 445 ms
>> ^^^^^^^^^^^^^ ^^^^^^^
>>....................................................................................
>>
>>How can I stop my internal dns querying the root-name server for
>>internal addresses he cannot resolve?
>>Tnanks for every idea or every hint where I can get useful knowledge!
>>
> Are you sure the zone loaded properly? You refer to the zone file as
> notused.db in one part of your message, but the named.conf excerpt
> specifies db.notused -- those two don't match. What happens if you do a
> query directly of the 10.in-addr.arpa domain, e.g. for its SOA record?
> Do you get a good response?
>
>
> - Kevin
Thx for reply!
This isn't the reason, but was a mistake when I posted. I change the name
of the zonefile because all my zonefile start with db. So the name in
/etc/named.conf is correct but I have renamed the real file too.
In the posting I used the wrong name.
When I restart named I find the following lines in the /var/log/messages
file:
-------------------------
Mar 15 07:39:40 router1 named[31583]: loading configuration from '/etc/named.conf'
Mar 15 07:39:40 router1 named: Starten von named succeeded
Mar 15 07:39:40 router1 named[31583]: no IPv6 interfaces found
Mar 15 07:39:40 router1 named[31583]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 15 07:39:40 router1 named[31583]: listening on IPv4 interface eth0, 172.30.0.2#53
Mar 15 07:39:40 router1 named[31583]: listening on IPv4 interface eth2, 10.10.10.11#53
Mar 15 07:39:40 router1 named[31583]: command channel listening on 127.0.0.1#953
Mar 15 07:39:40 router1 named[31583]: zone 10.in-addr.arpa/IN: loaded serial 1997022700
Mar 15 07:39:40 router1 named[31583]: zone 10.10.10.in-addr.arpa/IN: loaded serial 2004121601
Mar 15 07:39:40 router1 named[31583]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
-------------------------
so the zone gets loaded!
Whats interesting:
I have hosts in the net 10.10.10.0/24.
The zone-file for the zone 10.in-addr.arpa does not conflict with
10.10.10.in-addr.arpa.
For example the host 10.10.10.210 gets resolved.
But if I try to resolve the Ip-Adress 10.1.2.3 my dns goes outside
to a root-nameserver (what I try to change!).
How can I make my dns "a root-nameserver" for the zone 10.in-addr.arpa
or for the zone 10.168.192.in-addr.arpa
The iana has blackhole-server who do this job - how can I now configure
my own blackhole-server for private net-addresses I don't use?
Sorry for posting all the conversation - but I cannot see my original
post - I don't know if this happens to others too?
thx
leopold aichinger
More information about the bind-users
mailing list