Preventing external lookups

Tue Nov 11 19:47:25 UTC 2003

"Barry Margolin" <barry.margolin at level3.com> wrote in message
news:erasb.458$lK3.28 at news.level3.com...

> In article <borbpm$1esj$1 at sf1.isc.org>, Mark <admin at asarian-host.net>
> wrote:
>
> > Running BIND 8.4.1, I loaded a large master zone from a DNS blocklist.
> > The result? Matches are found very fast, of course. But when BIND cannot
> > find a match, it still seems to query the root-servers, which can take
> > quite a while to return a negative response.
> >
> > So, my question is, can I prevent any external lookups for one specific
> > zone? External meaning: anything not defined in the zone file itself.
>
> If your server is master for the zone, it should never recurse for
> anything in that zone. Something else must be going on.

You know, I was wrong about the recursion. It just took an awful long time
to resolve. :) The zone I added was the blacklist for dynablock.easynet.nl;
like so:

------------------------------------
zone "dynablock.easynet.nl" {
        type master;
        file "dynablock.txt";
        allow-query { trusted; };
};
------------------------------------

And added the dynablock.txt file. When I do a lookup on a match, it goes
like this:

------------------------------------
asarian-host: {root} % nslookup 200.151.53.64.dynablock.easynet.nl
Server:  localhost
Address:  127.0.0.1

Name:    dsl-cable-dhcp-dialup.ip.dynablock.easynet.nl
Address:  127.0.0.2
Aliases:  200.151.53.64.dynablock.easynet.nl
------------------------------------

For a match, I get the result back immediately, as expected. But for a
non-match, it takes forever to find it,

------------------------------------
asarian-host: {root} % nslookup 70.160.109.194.dynablock.easynet.nl
Server:  localhost
Address:  127.0.0.1

*** Request to localhost timed-out
asarian-host: {root} % nslookup 70.160.109.194.dynablock.easynet.nl
Server:  localhost
Address:  127.0.0.1

*** localhost can't find 70.160.109.194.dynablock.easynet.nl:
Non-existent host/domain
------------------------------------

If I examine my query-log, indeed no recursion took place:

------------------------------------
XX+/127.0.0.1/1.0.0.127.in-addr.arpa/PTR/IN
XX+/127.0.0.1/70.160.109.194.dynablock.easynet.nl/A/IN
XX+/127.0.0.1/70.160.109.194.dynablock.easynet.nl.net/A/IN
XX+/127.0.0.1/1.0.0.127.in-addr.arpa/PTR/IN
XX+/127.0.0.1/70.160.109.194.dynablock.easynet.nl/A/IN
XX+/127.0.0.1/70.160.109.194.dynablock.easynet.nl.net/A/IN
------------------------------------

So, what is taking BIND so long when it cannot find a match? I would have
expected an equally fast response for a non-match.

Thanks,

- Mark