define zone

Greg Choules gregchoules+bindusers at googlemail.com
Fri Aug 8 09:19:38 UTC 2025 

Hi.
1a correct
1b no because you have disabled recursion
1c OK But as I said, if you also have "forward only;" (recommended) it
won't try to recurse, so hints are irrelevant.

2 Your choice. Use packet captures to see what queries CS is receiving and
deal with them appropriately. Tuning must be your job as no-one else knows
your environment.

Cheers, Greg

On Fri, 8 Aug 2025 at 07:41, Renzo Marengo <buckroger2011 at gmail.com> wrote:

> Hi Greg,
> Thanks for your help.
>
> 1) Just so I'm clear, if I made this configuration:
>   global forwarding DISABLED
>   zone "." MISSING
>   recursion ENABLE
>
>   a- server would contact root servers because hints are bulti-in, right ?
>   b- with same configuration with recursion DISABLED, server would
> contact root servers ?
>   c- in CS (cache server) is enabled both recursion and global forwarding
> , I will comment out reference of zone "." in named.conf leaving existing
> zone file.
>
> 2) Z server is "black box", I don't know its content.
>     AD domain controllers forward requests for external domain to CS
> server. If I wanted to keep built-in zones, in  named.rfc1912.zones file I
> should to add  "127.in-addr.arpa" and "255.in-addr.arpa" zones ?
>
> Il giorno gio 7 ago 2025 alle ore 14:24 Greg Choules <
> gregchoules+bindusers at googlemail.com> ha scritto:
>
>> Hi again, Renzo.
>>
>> 1) Regarding root hints, the explicit hint zone has not been necessary in
>> BIND for many years as the hints are built-in. This applies if your
>> resolver is doing recursion. But if you are doing global forwarding - with
>> "forward only;" as well - then "zone "." {" is pointless anyway. So either
>> way, you can remove it.
>>
>> 2) BIND has a list of built-in empty zones that are for names that should
>> not reach the Internet: reserved names and addresses. I think you do not
>> need explicit zones on the box you call CS as either they are built-in
>> already or the box called Z will have them anyway. But use tcpdump to
>> monitor traffic between CS and Z and decide whether you need anything more,
>> or less in your config.
>>
>> Also, please look at 9.20.11 as I suggested last time.
>>
>> Hope that helps.
>> Cheers, Greg
>>
>>
>> On Thu, 7 Aug 2025 at 13:06, Renzo Marengo <buckroger2011 at gmail.com>
>> wrote:
>>
>>> I'm replacing Caching and Forwarding DNS server (called CS) in Bind
>>> 9.16.23 which forwards all client queries to specific server Z.
>>>
>>> My doubts:
>>>
>>> 1)
>>> This CS server doesn't use root server so I can delete in named.conf
>>> this section ?
>>> zone "." IN {
>>>         type hint;
>>>         file "named.ca";
>>> };
>>>
>>>
>>> 2)
>>> the original named.rfc1912.zones file contains these zones:
>>> -------------------------------------------------
>>> zone "localhost.localdomain" IN {
>>>         type master;
>>>         file "named.localhost";
>>>         allow-update { none; };
>>> };
>>>
>>> zone "localhost" IN {
>>>         type master;
>>>         file "named.localhost";
>>>         allow-update { none; };
>>> };
>>>
>>> zone
>>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
>>> IN {
>>>         type master;
>>>         file "named.loopback";
>>>         allow-update { none; };
>>> };
>>>
>>> zone "1.0.0.127.in-addr.arpa" IN {
>>>         type master;
>>>         file "named.loopback";
>>>         allow-update { none; };
>>> };
>>>
>>> zone "0.in-addr.arpa" IN {
>>>         type master;
>>>         file "named.empty";
>>>         allow-update { none; };
>>> };
>>> -------------------------------------------------
>>>
>>>
>>>
>>> My old file contains the same entries, excluded zone
>>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa,
>>> and It includes the followind extra ones:
>>>
>>> zone "127.in-addr.arpa" {
>>>         type master;
>>>         file "db.127";
>>> };
>>> zone "255.in-addr.arpa" {
>>>          type master;
>>>          file "db.255";
>>> };
>>>
>>> file db.255
>>> $TTL    604800
>>> @       IN      SOA     localhost. root.localhost. (
>>>                               1         ; Serial
>>>                          604800         ; Refresh
>>>                           86400         ; Retry
>>>                         2419200         ; Expire
>>>                          604800 )       ; Negative Cache TTL
>>> ;
>>> @       IN      NS      localhost.
>>>
>>>
>>> file db.127
>>> $TTL    604800
>>> @       IN      SOA     localhost. root.localhost. (
>>>                               1         ; Serial
>>>                          604800         ; Refresh
>>>                           86400         ; Retry
>>>                         2419200         ; Expire
>>>                          604800 )       ; Negative Cache TTL
>>> ;
>>> @       IN      NS      localhost.
>>> 1.0.0   IN      PTR     localhost.
>>>
>>> What do you think ?
>>> I can delete both "127.in-addr.arpa" and "255.in-addr.arpa"zones ?
>>> And about
>>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
>>> zone ? I have t keep it ?
>>>
>>> Thanks
>>>
>>>
>>>
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>> from this list
>>>
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250808/6d250436/attachment-0001.htm>

More information about the bind-users mailing list