caching only + wildcard

Josh Smith juicewvu at
Thu Jun 26 21:05:20 UTC 2008

This is typically a bad idea - dns is used for more than just browsing the web.

See the site finder fiasco

Please do not break the DNS in this manner for your users.


On Thu, Jun 26, 2008 at 9:34 AM, idanj <idan.jan at> wrote:
> Thank you for your reply, and sorry for not being clear. I'll try to
> explain again.
> We are a small ISP.
> We want to display a friendly message to our users whenever they are
> trying to access a non existent domain.
> So the flow we were thinking about is:
> 1. User queries our (caching-only) NS
> 2. Our NS checks the root servers and get a "NXDOMAIN" reply.
> 3. We return to the user an A RECORD with the IP address of our server
> 4. The user goes to that IP address and gets our error message.
> So we basically want the ability to add a wildcard record to our NS,
> but have that wildcard catch ONLY when our NS gets an NXDOMAIN reply
> from the root server.
> I hoped I explained myself OK this time.
> Thanks again
> Idan
> On Jun 26, 2:29 am, Kevin Darcy <k... at> wrote:
>> idanj wrote:
>> > Hello all,
>> > We have 2BINDname servers configured as "caching-only".
>> > Is it possible to set a wildcard A record ("catch all") on a these
>> > name server?
>> > The problem is that when the server gets a query for a domain that
>> > doesn't exist in its cache, the server will return the wildcard reply
>> > instead of checking the root servers first.
>> I'm confused about what you're trying to accomplish here. Are you saying
>> "return a wildcard record any time the answer is not in cache"? Even if
>> that were possible, how would you expect to *ever* get anything into
>> your cache in that case? Bear in mind that a caching-only nameserver
>> typically starts up with *nothing* in its cache, just some "hints"
>> information about where to find root nameservers. If you give back a
>> wildcard record for everything not in cache, then there's no reason to
>> *ever* go out and resolve *anything* or cache *anything*. You just give
>> the wildcard record for every query. You might as well be not even
>> connected to the Internet.
>> I must be missing something here. Could you please clarify?
>> Are you perhaps using the term "cache" to also cover
>> *authoritative*data*, i.e. where your (so-called) "caching-only"
>> nameserver is also master or slave for certain select zones, and you
>> want everything *else*, not in those zones, to get a wildcard response?
>> In that case, maybe your requirement might make sense...
>> Or, could it be that you're trying to set up a DNS infrastructure on an
>> internal network, that has no connectivity to the Internet? If so, then
>> you're approaching it the wrong way. You don't want "wildcards" to
>> prevent your nameservers from going out and trying to talk to the
>> Internet root nameservers; what you want is to set up your *own* private
>> root zone, and point all of your nameservers at that root zone instead
>> of the Internet version.
>>                            - Kevin

Josh Smith
email/jabber: juicewvu at
phone: 304.237.9369(c)

() ascii ribbon campaign - against html e-mail
/\ - against proprietary attachments

More information about the bind-users mailing list