Bind 8.x and Intranets (no Internet) questions

Kevin Darcy kcd at daimlerchrysler.com
Mon Dec 20 23:40:52 UTC 1999


Todd Williams wrote:

> Here is a question that I've been searching for an answer for several
> hours too long...
>
> We had been running a prehistoric version of a Slackware 2.x install and
> Bind 4.x and have upgraded to a new machine Redhat 6.1 with Bind 8.2.1.
> This machine is a multi-segmented corporate "router" if you will, and
> simply connects different segments of our network, and also serves as
> our primary inTRAnet only DNS server.  This machine serves the internal
> hosts to resolve other internal host IP's and names.  I took the working
> files from the old machine, did the conversion from 4.x to 8.x, and
> things seemed to be working okay.  The conversion went fine, and lookups
> work as they did before, with no problem.  So, Bind is up and running
> without problems -- well, almost (for the most part, at least.)
>
> Here is the situation:  This machine is in no way shape or form attached
> to the internet.  We do not want it to attempt look to the internet root
> servers for answers -- they won't have the answers for these queries
> anyway, not to mention that the box can't even get to the internet root
> servers.  I have attempted several different things, including removing
> the named.ca file (root cache), cat /dev/null > named.ca, adding a root
> server of 127.0.0.1, and always it complains about something into
> /var/log/messages.  Usually something like
> "sysquery: findns error (SERVFAIL) on ?"  -- I don't want all those
> messages cluttering my syslog file.
>
> If a query is posed to this machine, and it is not a host in our
> intranet, we want the DNS to resolve immediately as an unknown host...
> instead of it trying to search (for a really long time) for an internet
> root server it can't get to for an answer.  I was able to do this
> previously by simply erasing the db.cache (root cache) file on the bind
> 4.x distribution, and it worked great!  Bind 8.x doesn't like it when I
> do that.  Is there an easy way to set this up with 8.x?
>
> The big questions are... How can I set up Bind version 8.x so that  it
> does not attempt to search beyond itself to the root servers for a
> resolution?  Thoughts?  Suggestions?

Set up the machine as master for an internal root zone, so it'll just
"know" that nothing exists outside of your internal domains. Initially,
this internal root zone could consist trivially of just an SOA and 1
NS record, but to do things properly, you should not only have at least 2
servers and corresponding NS'es for the root zone itself, but you should
also have delegations in that internal root to each of your internal zones.
I'm surprised you've lasted this long with no internal root -- don't you
have any caching-only nameservers on your network?

> The other thing I'm wondering about is this:
>
>                     named[2352]: Forwarding source address is
> [0.0.0.0].2209
>
> How can I totally turn off forwarding on Bind 8.x?  Or does this mean
> that it is off -- if so, it doesn't look like it.

It's just an informational message letting you know that if the nameserver
needs to send any queries, it'll use an unbound socket to do so (as opposed
to forcing all queries to use a particular source address via the
query-source option). It has nothing to do with any "forwarding" options or
the "forwarding" mechanisms they enable.


- Kevin




More information about the bind-users mailing list