How to allow set Host file dns query priorities in BIND

Kevin Darcy kcd at chrysler.com
Wed Feb 23 17:19:56 UTC 2011


On 2/23/2011 4:57 AM, Eivind Olsen wrote:
>> is there any option in BIND to give priority to HOST file before
>> connecting it to internet ISP or local zone?
> No. BIND doesn't read/use the hosts file.
> What you _can_ do is configure BIND to believe it's authoritative for
> those zones, but I'd not recommend doing this unless you have a very good
> reason. And if your Internet connection goes down, does it really matter
> whether you can do lookups, if you can't make the connections anyway?
>
I hear that reasoning a lot, but it's actually a fallacy. Some 
applications/subsystems differentiate between "host not found" errors 
(considered "permanent") and "cannot connect" errors (considered 
"temporary" and retryable). In fact, those might be very different code 
paths, and the app/subsystem behavior might differ wildly.

Unless one intimately knows the failure behavior of 
*every*single*app*and*subsystem* in one's environment (which in a 
large/complex environment is a constantly moving target, since new apps 
and subsystems are being implemented all the time), one should err on 
the side of safety and ensure that DNS resolution still works even if 
the resources that the address  (A/AAAA) records point to is unavailable.

One should also bear in mind that DNS isn't only used for obtaining 
address records for purposes of immediate client/server connection. Data 
mining, resource location, and general information retrieval functions 
are often implemented in DNS, and the availability of these functions 
shouldn't necessarily be made dependent on the up/down status of some 
arbitrary network link. It's also possible that an app could make a 
lookup, and as long as the TTL on the records hasn't expired, 
legitimately attempt a connection at some _later_ time. Not everything 
is "on-demand".

To answer the original poster's question: BIND doesn't control whether a 
process uses the hosts file for its lookup or not, that's usually an 
OS-configuration thing (see, e.g. 
http://en.wikipedia.org/wiki/Name_Service_Switch, 
http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=/com.ibm.aix.files/doc/aixfiles/netsvc.conf.htm, 
etc.)

                                                                         
                                                                         
                                                                         
                     - Kevin





More information about the bind-users mailing list