Never recurse for unknown intern addresses ?

Kevin Darcy kcd at daimlerchrysler.com
Wed Mar 22 20:54:00 UTC 2000


Runu Knips wrote:

> Joseph S D Yao wrote:
> > On Thu, Mar 09, 2000 at 09:01:27AM +0100, Runu Knips wrote:
> > > We have an intern network with a modem connection to the provider.
> > > Our firewall runs bind 8.2.2pl5 under linux.
> > >
> > > We would like to specify to bind that it should answer ALL requests
> > > for intern addresses WITHOUT asking the nameserver at our provider
> > > for it. Especially it should NOT ask the nameserver at our provider
> > > for addresses which (a) don't contain any dot OR (b) are in the
> > > domain, AND are unknown. Bind should simply say that they don't
> > > exist, and quit further processing.
> >
> > If you declare on your local server that it is authoritative for a
> > given domain, then it will NEVER ask ANY OTHER server for names in that
> > domain.  If it doesn't know them, they are unknown.  This is the
> > meaning of "authoritative".
> >
> > If this conflicts with another, different "authoritative" name server
> > for the same domain, obviously you should be using different domains.
> > Perhaps one could be a subdomain of the other.
> >
> > Your resolver is what programs use to resolve names, though.  Your
> > resolver is different from your server!  Your resolver is configured in
> > /etc/resolv.conf.  If you ONLY put your name server in there, then all
> > queries will be done first to your name server [and the above scheme
> > will work].  If you ONLY put your domain in there, and no search path,
> > then it will only try to resolve dotless names as nameDOTyourdomain.
> >
> > SO - BIND already does what you want, it would appear.  Have you been
> > having problems?
> >
> > Please note that the name server WILL query to the Internet [but not
> > necessarily to your ISP, unless you have forwarded it that way] (a)
> > when it starts, to verify the root servers; and (b) when it tries to
> > resolve a name that it does not know.
>
> Thank you for your answer. Somehow I really had problems to post here
> and have already given up... finally one of my postings appeared anyway.
> Well the thing is, bind really can't do what we want it to do. If it
> knows the zone ".freezer" and someone types "mulk" where he actually
> meant "milk", bind will get a request for "mulk" and then for
> "mulk.freezer". Same with "mulk.freezer" -> bind gets "mulk.freezer"
> and "mulk.freezer.freezer". In any case, it always consults its
> forwarders (or the top level nameservers, depending upon your actual
> name server configuration).
>
> Btw, /etc/resolv.conf only works for local programs started on the
> server machine itself (most of the clients are windows machines and
> need to be configured with the graphical interface).

You could always define authoritative names for some of the common
misspellings. Here, for instance, I have "diamlerchrysler.com" and
"daimlerchrylser.com" zones defined, since those are common misspellings of
our domain name. Just take care that you're not blocking anything
*legitimate* when you do this.


- Kevin




More information about the bind-users mailing list