No subject
Tue Apr 2 00:56:56 UTC 2013
"With BIND, you can only do this for zones for which you are
authoritative, by putting wildcard entries in those zones. So, unless
you want to claim authority for every zone on the Internet, you can't
do it *universally*.
Note, many of us view this practice as inherently evil, especially
after the SiteFinder ( http://en.wikipedia.org/wiki/Site_Finder )
incident. It's usually done to try and "monetize" (see also "make money
from", "scam") people's typos."
> limited environment it wont be a problem, but I am finding that the
> forward options do not appear to be working as advertised (at least what
> I have read). As such I would request that the discussions related to
> the political side of this issue be ignored for this thread, I know its
> a charged issue, but I also dont operate a root server, or really
> anything outside of a small office of people who wanted this, as I am
> the "goto volunteer" the task fell to me.
>
> I have tried both forwarding to my local bind via a different view, as
> well as to a 3rd party DNS server (ISPs) and neither appear to be
> working. I have tried placing the forward/forwarders options both in
> the main options{} section as well as in the view that really needs it,
> both failed.
Basically, you're going to have to set up an internal root zone with
individual zones for the 'other' zones that point to external servers.
I'm not sure that you want to do this.
> When I use the localhost view it works as one would expect, when I use
> the internal view I get only the wildcard data. I verified with tcpdump
> and setting to the ISP NS that it does not send any packets out to
> 'forward' the request.
>
> So my question is why does "forward first" not forward first then check
> the root zone, why does it go directly to the root zone and not even
> attempt to forward first? Its either a broken (as I understand it)
> feature or my config is bad.
I'd be willing to bet that your config is bad. But since you didn't
post it, we can't comment on it.
> Or is there some other way to basically remap a NXDOMAIN to something
> else short of either a proxy, code hack, or something else that I would
> prefer to avoid if it can be done via the configs.
The problem that you're going to run into here is that the Internet is
NOT just made up of http/https requests. ("The web is just the
clickable part of the internet.") You're also going to have to resolve
MX, PTR, A/AAAA, etc requests.
Or you could switch everyone to IE7 and use the M$ "sitefinder"...
Regards,
Gregory hicks
>
> Thanks,
>
>
>
> Here is what I am doing (which doesnt forward):
>
> options {
> forward first;
> forwarders { 127.0.0.1; }; // also tried the ISP NS
> // I also tried putting these in the view and the zone
> // and neither had the desired effect
> };
>
> acl "internal" { 192.168.0.0/16; 10.0.0.0/8; 172.16.0.0/20; };
> view "internal" {
> match-clients { "internal"; };
> recursion yes; // out of desperation
> zone "." { type master; file "wildcard"; };
> }
>
> view "localhost" {
> match-clients { localhost; }
> forwarders {};
> zone "." {type hint; file "db.root"; };
> }
>
> --
> Trixter http://www.0xdecafbad.com Bret McDanel
> Belfast +44 28 9099 6461 US +1 516 687 5200
> http://www.trxtel.com the phone company that pays you!
>
>
---------------------------------------------------------------------
Gregory Hicks | Principal Systems Engineer
Cadence Design Systems | Direct: 408.576.3609
555 River Oaks Pkwy M/S 9B1
San Jose, CA 95134
People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell
The price of freedom is eternal vigilance. -- Thomas Jefferson
"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton
More information about the bind-users
mailing list