NXDomain reply after LAN IP response from forwarder for zone

Jarrod Farrell jarrodmaddy at gmail.com
Sat Sep 13 22:38:12 UTC 2025 

BIND 9.20.12

And adding `validate-except` to my configuration seems to be what I need, so thanks Greg.

```
IP 10.0.10.1.33184 > 10.0.10.100.53: 43821+ [1au] A? firewall.my-home.net.lan. (62)
IP 10.0.10.100.59360 > 10.0.10.101.53: 45885+% [1au] A? firewall.my-home.net.lan. (62)
IP 10.0.10.101.53 > 10.0.10.100.59360: 45885* 1/0/1 A 10.96.48.1 (66)
IP 10.0.10.100.53 > 10.0.10.1.33184: 43821 1/0/1 A 10.96.48.1 (94)
```

So for posterity, the final configuration:

```named.conf
include "/etc/bind/rndc.key";
controls {
   inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
};

acl cachenetworks {  127.0.0.0/24;  ::1/128;  10.0.10.0/24;  };
acl badnetworks {  };

options {
   listen-on {  any;  };
   listen-on-v6 {  any;  };
   allow-query-cache { cachenetworks; };
   blackhole { badnetworks; };
   forward first;
   forwarders {  9.9.9.9;  149.112.112.112;  2620:fe::fe;  2620:fe::9;  };
   directory "/run/named";
   pid-file "/run/named/named.pid";
   validate-except { my-home.net.lan; };

};

zone "my-home.net.lan" {
   type forward;
   forward only;
   forwarders { 10.0.10.101; };
};
```

And for those of the NixOS bend like I am (since this is what is generating the configuration BIND uses:)

```nix
services.bind = {
   enable = true;
   cacheNetworks = [
     "127.0.0.0/24"
     "::1/128"
     "10.0.10.0/24"
   ];
   forward = "first";
   extraOptions = ''
     validate-except { my-home.net.lan; };
   '';
   extraConfig = ''
     zone "my-home.net.lan" {
       type forward;
       forward only;
       forwarders { 10.0.10.101; };
     };
   '';
};
```

On 9/13/25 18:01, Greg Choules wrote:
> Hello.
> What version of BIND are you running?
> 
> By default, BIND will attempt to perform DNSSEC validation, which is probably why you're seeing the DS query. See here for more information on validation and DNSSEC in general: https://bind9.readthedocs.io/en/latest/dnssec-guide.html#dnssec-validation-explained <https://bind9.readthedocs.io/en/latest/dnssec-guide.html#dnssec-validation-explained>
> 
> You might want to leave validation enabled in general, but disable it for domains that you know are not signed, like "my-home.net.lan". Take a look at this configuration statement: https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except <https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except>
> 
> I hope that helps.
> Cheers, Greg

More information about the bind-users mailing list