Never recurse for unknown intern addresses ?

Joseph S D Yao jsdy at
Thu Mar 9 17:30:40 UTC 2000

On Thu, Mar 09, 2000 at 09:01:27AM +0100, Runu Knips wrote:
> We have an intern network with a modem connection to the provider.
> Our firewall runs bind 8.2.2pl5 under linux.
> We would like to specify to bind that it should answer ALL requests
> for intern addresses WITHOUT asking the nameserver at our provider
> for it. Especially it should NOT ask the nameserver at our provider
> for addresses which (a) don't contain any dot OR (b) are in the
> domain, AND are unknown. Bind should simply say that they don't
> exist, and quit further processing.

If you declare on your local server that it is authoritative for a
given domain, then it will NEVER ask ANY OTHER server for names in that
domain.  If it doesn't know them, they are unknown.  This is the
meaning of "authoritative".

If this conflicts with another, different "authoritative" name server
for the same domain, obviously you should be using different domains.
Perhaps one could be a subdomain of the other.

Your resolver is what programs use to resolve names, though.  Your
resolver is different from your server!  Your resolver is configured in
/etc/resolv.conf.  If you ONLY put your name server in there, then all
queries will be done first to your name server [and the above scheme
will work].  If you ONLY put your domain in there, and no search path,
then it will only try to resolve dotless names as nameDOTyourdomain.

SO - BIND already does what you want, it would appear.  Have you been
having problems?

Please note that the name server WILL query to the Internet [but not
necessarily to your ISP, unless you have forwarded it that way] (a)
when it starts, to verify the root servers; and (b) when it tries to
resolve a name that it does not know.

Joe Yao				jsdy at - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
This message is not an official statement of COSPO policies.

More information about the bind-users mailing list