Negative zones; NXDOMAIN responses
Narcis Garcia
informatica at actiu.net
Mon May 20 07:51:37 UTC 2013
- Yes, I thought about not using DNS from the same internet provider,
but wanted to know if there is a way to patch only the .local response.
- This is the configuration I use in one of the LANs:
view "local-nets" {
match-clients { acl_local-nets; };
recursion yes;
forwarders {
62.151.2.8;
};
include "/etc/bind/named.conf.default-zones";
}
- These are the tests to be done from a client:
$ host -t SOA local.
$ host -t SOA local. 62.151.2.8
- I've tried to create an empty zone, or lacking of A or SOA records,
but then BIND9 doesn't load it:
zone local/IN: has 0 SOA records
zone local/IN: has no NS records
zone local/IN: not loaded due to errors.
- I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
But I'm not sure if it's useful for SOA records.
Al 20/05/13 09:00, En/na Matus UHLAR - fantomas ha escrit:
>>> On 19 May 2013 20:51, Narcis Garcia <informatica at actiu.net> wrote:
>>>> The internet ISP returns positive values for .local
>>>> queries, and I need that LAN clients receive NXDOMAIN instead.
>
> do they return positive answers for any non-existing domains?
> (is this one of ISPs wanting to make money on mistypes and ling to the
> people?)
> On 19.05.13 21:26, Steven Carr wrote:
>> But in response to the actual question... what you want to do is not
>> possible in BIND zone configs as you can't create a negative zone
>> (that I'm aware of).
>
> He can create empty .local zone that will return NXDOMAIN for everything.
>
>> On 19 May 2013 21:22, Steven Carr <sjcarr at gmail.com> wrote:
>>> Why are you forwarding queries to the ISP? Implement your own caching
>>> layer, I for one would never use/trust an ISPs caching servers. If I
>>> want to resolve a domain I go direct to the source, not via a 3rd
>>> party.
>
> This is the real solution. You should not use services broken like this of
> any ISP. I'd even recommend not to use ANY services of such ISPs.
>
More information about the bind-users
mailing list