Nameservers not reachable by the roots

Kevin Darcy kcd at
Tue Feb 21 22:19:14 UTC 2006

ewilts at wrote:

>Do nameservers have to be reachable by the roots?  I've got a weird
>case where the nameservers are behind firewalls and should only be
>reachable for users who tunnel in.  So, for example, I'd like to have a
>domain with DNS server entries and  When
>the tunnel is up, these are reachable.  When the tunnel is done,
>they're not.  However, nobody will be able to determine the validity of
>the domain unless they have a tunnel.  Is this allowed in DNSland?  We
>seem to recall that registrars don't want you to register a domain
>without a valid DNS server - in this case, it doesn't appear valid to
>the registrar even though it is for the people that have the
>authorization to look up the entries in the domain.'
No, the root nameservers are, to all appearances at least, 
non-recursive, meaning they don't provide resolution of any zones 
outside of the ones they host. They would never be trying to query your 

You *may*, however, run into problems if you're trying to run a regular 
iterative resolver at the far end of the tunnel, since presumably there 
will be no delegation in the Internet DNS for whatever domain(s) you're 
using through the tunnel, so it will have no way to know to ask the 
nameservers on your end of the tunnel. You might have to "spike" that 
iterative resolver with some selective slave/stub/forwarder definitions, 
so it knows where to resolve what.

As for your registry questions I think it's fairly common to just 
"reserve" or "park" a domain, without actually hosting anything for it. 
Or, a lot of registrars will throw in some minimal domain hosting for 
free or very low cost. Bear in mind that if the Internet DNS 
infrastructure is not necessary to resolve names in the domain in 
question, the only reason for registering it at all is just to make sure 
that no-one else does -- an eventuality which could cause complications 
if sites get set up under that domain, that your users may actually want 
to get to someday. Another, cheaper route, is to pick a "bogus" TLD such 
.internal for your "private" domain(s). Then you don't have to register 
anything with anybody.

                                             - Kevin

More information about the bind-users mailing list