Empty .local zone

Tony Finch dot at dotat.at
Tue Feb 19 17:00:06 UTC 2019

Ben Bridges <bbridges at springnet.net> wrote:
> Would it be advisable or inadvisable to define an empty zone for .local
> on a recursive, unicast BIND server that is not hosting any Microsoft
> Windows AD domains or other .local zones in order to keep the queries
> for .local off the root servers?

If you are running BIND 9.12 with `dnssec-validation auto` then it isn't
necessary, because `named` will do NXDOMAIN synthesis for .local so you
won't leak queries to the root servers.

Before 9.12 I had a fairly extensive list of empty local zones most of
which was quite boring, except for .local, which had extra complications.
Avahi has a tricky interpretation of RFC 6762 section 22.1 point 4: it
tests the SOA at the apex of .local, and when it gets an answer it stops
doing mDNS. So an empty zone doesn't work so well, but NXDOMAIN synthesis
works nicely.

    # Misdirected mDNS queries get REFUSED
    # so that Avahi does not think we have a real .local zone.
    zone local {
        type master;
        file "/etc/db.null";
        allow-query { !; !::/0; };

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
reject all prejudice and discrimination based upon race, colour,
religion, age, disability, gender, or sexual orientation

More information about the bind-users mailing list