use bind 9.8 as caching server and authoritative nameserver

bind-check at bind-check at
Mon Oct 28 13:10:42 UTC 2013

Hi all , 

I installed a new bind caching server called by using Ubuntu server 12.04.3 LTS with the included bind version : 9.8.1.dfsg.P1-4 for testing. 

We are a tiny ISP for some regional customers so we don't use forwarders, we host the caching servers for them. 

Recently our government obligated all ISP's to block access to child-porn, illegal betting sites, illegal file share sites etc... 
I have been asked now to implement this on our caching DNS servers (serve a custom zone to all of our customers that points to an IP from the government that hosts a block-page) 

It's the first time I try to use this mixed bind setup. (still act as caching server for our customers, but be authoritative for all domains we need to block) 

When I query a to-be-blocked-zone with for example: dig @localhost ,  I get the response I want from within our local zone file (see zone file below; /etc/bind/ 
If I use another Ubuntu host in the same network and qery with dig @nameserver , I get the response from the Internet and not from the master zone file located on our 'nameserver'. (our test caching server seems to ignore it's master for the zone 

Below you will find our config files ,I don't see the problem, thanks for your help ! 


(the name of my test server and the name of the zone we need to block have been replaced by fake ones for privacy reasons. Except for those names and it's IP, all other info is from my test server-setup) 

---cat /etc/hosts -->       localhost 
IP.IP.IP.IP     nameserver 

# The following lines are desirable for IPv6 capable hosts 
::1     ip6-localhost ip6-loopback 
fe00::0 ip6-localnet 
ff00::0 ip6-mcastprefix 
ff02::1 ip6-allnodes 
ff02::2 ip6-allrouters 

---cat /etc/bind/named.conf --> 

// This is the primary configuration file for the BIND DNS server named. 
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file. 
// If you are just adding zones, please do that in /etc/bind/named.conf.local 

include "/etc/bind/named.conf.options"; 
include "/etc/bind/named.conf.local"; 
include "/etc/bind/named.conf.default-zones"; 

---cat /etc/bind/named.conf.options --> 

options { 
        directory "/var/cache/bind"; 

        // If there is a firewall between you and nameservers you want 
        // to talk to, you may need to fix the firewall to allow multiple 
        // ports to talk.  See 

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders. 
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder. 

        // forwarders { 
        // }; 

        // If BIND logs error messages about the root key being expired, 
        // you will need to update your keys.  See 
 dnssec-enable yes;        
 dnssec-validation auto; 

        auth-nxdomain no;    # conform to RFC1035 
        listen-on-v6 { any; }; 

---cat /etc/bind/named.conf.local --> 

// Do any local configuration here 

// Consider adding the 1918 zones here, if they are not used in your 
// organization 
//include "/etc/bind/zones.rfc1918"; 

zone "" 
type master; 
file "/etc/bind/"; 

---cat /etc/bind/ --> 

$TTL 86400 

@       IN      SOA ( 
                        2013101601      ; serial number YYMMDDNN 
                        28800           ; Refresh 
                        7200            ; Retry 
                        864000          ; Expire 
                        86400           ; Min TTL 


        IN      A 
www     IN      A 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list