No query to root-nameserver for private ips

Leopold Aichinger tux at example.com
Tue Mar 14 14:02:37 UTC 2006


For our lan(s) we use 10.10.10.0/24, 192.168.64.0-192.168.254.0 and 172.30.0.0/24
Perhaps of misconfiguration sometime hosts query the internal dns
for ipaddresse outside this range (for example the do a reverse lookup
for the ip 10.1.2.3).
the internal dns is configured as forward first - so if the
dns cannot answer a query for example 10.1.2.3 (which of course the forwarders
cannot answer too) the internal dns will contact a root-nameserver.

I am willing now to reduce this traffic and for doing so I generated a zone file
which I called notused.db:
-------------------
$ttl 7D 
@       IN      SOA     router1.bfi20s. administrator.bfi20s.  (
                                      1		 ; Serial
                                      10800      ; Refresh
                                      3600       ; Retry
                                      604800     ; Expire
                                      86400 )    ; Minimum

              IN      NS      router1.bfi20s.

------------------
Note: router1.bfi20s is the internal dns.


The interessting part for of the /etc/named.conf for this zone-file:
------------------

<-- snipp -->
	forward first;
	forwarders {
		x.x.x.x;
		y.y.y.y;
		};
};

< -- snipp -- >

zone "10.10.10.in-addr.arpa" {
	type master;
	file "10.10.10.zone";
};

zone "10.in-addr.arpa" {
	type master;
	file "db.notused";
};

------------------

if I do now a:
# dig @127.0.0.1 +trace 10.1.2.3
logged in on the internal dns I get the following output:
 
....................................................................................
; <<>> DiG 9.2.4 <<>> @127.0.0.1 +trace 10.1.2.3
;; global options:  printcmd
.			476937	IN	NS	E.ROOT-SERVERS.NET.

< -- snipp -- >

.	476937	IN	NS	D.ROOT-SERVERS.NET.
;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

.	86400	IN	SOA	A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2006031301 1800 900 604800 86400
;; Received 101 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 445 ms
                           ^^^^^^^^^^^^^                           ^^^^^^^
....................................................................................
          
How can I stop my internal dns querying the root-name server for
internal addresses he cannot resolve?
Tnanks for every idea or every hint where I can get useful knowledge!

leopold aichinger 



More information about the bind-users mailing list