Negative zones; NXDOMAIN responses

Carlos M. Martinez carlosm3011 at gmail.com
Mon May 20 10:20:20 UTC 2013 

You need the soa record. It has to be empty but not THAT empty :-)

Sent from my iPad

On 20 May 2013, at 04:51, Narcis Garcia <informatica at actiu.net> wrote:

> - Yes, I thought about not using DNS from the same internet provider,
> but wanted to know if there is a way to patch only the .local response.
> 
> - This is the configuration I use in one of the LANs:
> 
> view "local-nets" {
>        match-clients { acl_local-nets; };
>        recursion yes;
>        forwarders {
>                62.151.2.8;
>        };
>        include "/etc/bind/named.conf.default-zones";
> }
> 
> - These are the tests to be done from a client:
> $ host -t SOA local.
> $ host -t SOA local. 62.151.2.8
> 
> - I've tried to create an empty zone, or lacking of A or SOA records,
> but then BIND9 doesn't load it:
> zone local/IN: has 0 SOA records
> zone local/IN: has no NS records
> zone local/IN: not loaded due to errors.
> 
> - I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
> to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
> But I'm not sure if it's useful for SOA records.
> 
> 
> Al 20/05/13 09:00, En/na Matus UHLAR - fantomas ha escrit:
>>>> On 19 May 2013 20:51, Narcis Garcia <informatica at actiu.net> wrote:
>>>>> The internet ISP returns positive values for .local
>>>>> queries, and I need that LAN clients receive NXDOMAIN instead.
>> 
>> do they return positive answers for any non-existing domains?
>> (is this one of ISPs wanting to make money on mistypes and ling to the
>> people?)
>> On 19.05.13 21:26, Steven Carr wrote:
>>> But in response to the actual question... what you want to do is not
>>> possible in BIND zone configs as you can't create a negative zone
>>> (that I'm aware of).
>> 
>> He can create empty .local zone that will return NXDOMAIN for everything.
>> 
>>> On 19 May 2013 21:22, Steven Carr <sjcarr at gmail.com> wrote:
>>>> Why are you forwarding queries to the ISP? Implement your own caching
>>>> layer, I for one would never use/trust an ISPs caching servers. If I
>>>> want to resolve a domain I go direct to the source, not via a 3rd
>>>> party.
>> 
>> This is the real solution. You should not use services broken like this of
>> any ISP. I'd even recommend not to use ANY services of such ISPs.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list