empty-zones-enable vs. forwards for rfc1918 reverse zones

Alexander Bochmann ab at lists.gxis.de
Wed Jul 1 11:36:21 UTC 2015


I have an internal bind server that has several forward zones pointing to 
other internal name servers that carry reverse zones for rfc1918 networks 
we are using in our networks (let's say something like 0.20.10.in-addr.arpa).

This works fine until I either set empty-zones-enable yes; or include the 
empty rfc1918 master zones that Debian provides (this is bind 9.8.4):
When there is a 10.in-addr.arpa master zone, an additional forward zone for 
0.20.10.in-addr.arpa will just be ignored.
(I assume in this case I would need to provide for some kind of delegation 
for the reverse zones that actually are in use?)

I still want to blackhole lookups for unused rfc1918 space instead of 
sending those requests towards the Internet. 

My current workaround is to define additional forward zones for the 
top-level rfc1918 networks that use a non-exsting address on the loopback 
interface as forwarder. Obviously, between overlapping forward zones, some 
kind of first match wins - rule is used. The downside to that is that I get 
lots of lame-servers log entries for lookups matching those fake forward 

Is there a better solution?


More information about the bind-users mailing list