Negative zones; NXDOMAIN responses

Narcis Garcia informatica at actiu.net
Mon May 20 07:51:37 UTC 2013 

- Yes, I thought about not using DNS from the same internet provider,
but wanted to know if there is a way to patch only the .local response.

- This is the configuration I use in one of the LANs:

view "local-nets" {
        match-clients { acl_local-nets; };
        recursion yes;
        forwarders {
                62.151.2.8;
        };
        include "/etc/bind/named.conf.default-zones";
}

- These are the tests to be done from a client:
$ host -t SOA local.
$ host -t SOA local. 62.151.2.8

- I've tried to create an empty zone, or lacking of A or SOA records,
but then BIND9 doesn't load it:
zone local/IN: has 0 SOA records
zone local/IN: has no NS records
zone local/IN: not loaded due to errors.

- I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
But I'm not sure if it's useful for SOA records.


Al 20/05/13 09:00, En/na Matus UHLAR - fantomas ha escrit:
>>> On 19 May 2013 20:51, Narcis Garcia <informatica at actiu.net> wrote:
>>>> The internet ISP returns positive values for .local
>>>> queries, and I need that LAN clients receive NXDOMAIN instead.
> 
> do they return positive answers for any non-existing domains?
> (is this one of ISPs wanting to make money on mistypes and ling to the
> people?)
> On 19.05.13 21:26, Steven Carr wrote:
>> But in response to the actual question... what you want to do is not
>> possible in BIND zone configs as you can't create a negative zone
>> (that I'm aware of).
> 
> He can create empty .local zone that will return NXDOMAIN for everything.
> 
>> On 19 May 2013 21:22, Steven Carr <sjcarr at gmail.com> wrote:
>>> Why are you forwarding queries to the ISP? Implement your own caching
>>> layer, I for one would never use/trust an ISPs caching servers. If I
>>> want to resolve a domain I go direct to the source, not via a 3rd
>>> party.
> 
> This is the real solution. You should not use services broken like this of
> any ISP. I'd even recommend not to use ANY services of such ISPs.
>

More information about the bind-users mailing list