Problem with Zones (recursion?)

Grant Taylor gtaylor at
Sun Oct 15 18:07:07 UTC 2017

On 10/15/2017 06:15 AM, Michelle Konzack wrote:
> Good day,


> I have created a file
> ----[ /etc/bind/db.block ]----------------------------------------------
> @ 86400 IN SOA   dns1.<removed>. hostmaster.<removed>. ( a b c d e )
>          IN NS    dns1.<removed>.
> *       IN CNAME block.<removed>.
> ------------------------------------------------------------------------
> ----[ /etc/bind/named.conf.block ]--------------------------------------
> zone "" {type master; notify no; file "/etc/bind/db.block"; };
> zone "" {type master; notify no; file "/etc/bind/db.block"; };
> ------------------------------------------------------------------------


I've seen this type of thing done a number of times before.  (I think I 
first saw it on FreeBSD.)

> Since <dns1> is my own server, I have it prepend in my dhclient.conf  of
> my Laptop but if I now querry

Do I understand correctly that you are tweaking dhclient to use your 
server before other DNS servers?

> ----[ command 'nslookup' ]-----------------------------------
> ;; Got recursion not availlable from 7847104.44, trying next server
> Server:
> Address:
> Non-authoritative answer:
> Name:
> Address:
> ------------------------------------------------------------------------

The first thing I see is that you are querying the domain 
which does not have an A or AAAA record in your db.block file.

The second thing I notice is that you are not testing directly against 
your server.  (I assume you're relying on dhclient to pick the order.) 
I'd suggest trying "nslookup dns1.<removed>." to make sure 
that you are testing your DNS config and not hitting a dhclient resolver 
order issue.

> ----[ command 'named-checkzone db.block' ]-------------------
> db.block:3: using RFC1035 TTL semantics
> zone loaded serial 1508068518
> OK
> ------------------------------------------------------------------------
> What I am missing here?
> It should point to the server block.<removed>

Your nslookup will very likely not hit the CNAME as you're querying the 
apex of the zone.

I would also suggest that you check out Response Policy Zone(s) as they 
may be a better / more scalable way to accomplish what I suspect you are 

You might also want to glance at DNAME as it's closely related and can 
allow you to change the back end name that is queried.

> Thanks in avance

You're welcome.

Good luck.

Grant. . . .
unix || die

More information about the bind-users mailing list