
<div dir="ltr">Hello Mark,<div><br></div><div>Thank you very much for the reply.</div><div><br></div><div>I have changed option - "forward only;" to "forward first;" and it has enabled empty zones.</div><div>I can see request for private ips not going over internet using tcpdump.</div><div><br></div><div>This configurations works, but is this good configuration for forward only dns server or will there be any problems related caching etc with this conf.</div><div><br></div><div>Regards,</div><div>Sachin</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 24, 2016 at 10:54 AM, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>

Automatic empty zones are not created when there is a forward only<br>

entry covering the zone name.  Almost all the time it is someone<br>

trying to make internal reverse zones work and if the upstream<br>

server is correctly configured it will prevent the queries leaking<br>

to the Internet as a whole.<br>

<br>

You are forwarding all you lookups to Google recursive servers in<br>

forward only mode so empty zones won't be created.<br>

<br>

If you don't want the queries to be sent to Google create your own<br>

empty zones or disable forwardig for these namespaces.<br>

<br>

Mark<br>

<br>

In message <<a href="mailto:CADu4ah4OqZeTda2PANwVuSV9OAJCaapHZpxaAz7ApdU3DTSz-Q@mail.gmail.com">CADu4ah4OqZeTda2PANwVuSV9OAJC<wbr>aapHZpxaAz7ApdU3DTSz-Q@mail.<wbr>gmail.com</a>><br>

, Sachin Patil writes:<br>

> --===============<wbr>4737655251929363984==<br>

> Content-Type: multipart/alternative; boundary=<wbr>94eb2c07e998dce6290541f2192e<br>

><br>

> --94eb2c07e998dce6290541f2192e<br>

> Content-Type: text/plain; charset=UTF-8<br>

><br>

> Sending this to bind list ... had only sent to Tony by mistake.. !!<br>

><br>

> On Tue, Nov 22, 2016 at 5:45 PM, Sachin Patil <<a href="mailto:04sachin@gmail.com">04sachin@gmail.com</a>> wrote:<br>

><br>

> > Hello Tony,<br>

> > Thank you very much for the reply.<br>

> ><br>

> > I have configured bind in forward mode.<br>

> > My conf file looks like -<br>

> ><br>

> > options {<br>

> ><br>

> > directory "/var/cache/named";<br>

> ><br>

> > pid-file "/var/run/named/named.pid";<br>

> ><br>

> > recursion yes;<br>

> ><br>

> > allow-recursion { any; };<br>

> ><br>

> ><br>

> > forwarders {<br>

> ><br>

> > 8.8.8.8;<br>

> ><br>

> > 8.8.4.4;<br>

> ><br>

> > };<br>

> ><br>

> > forward only;<br>

> ><br>

> > empty-zones-enable yes;<br>

> ><br>

> > dnssec-enable yes;<br>

> ><br>

> > dnssec-validation yes;<br>

> ><br>

> ><br>

> > auth-nxdomain no;    # conform to RFC1035<br>

> ><br>

> > listen-on-v6 { any; };<br>

> ><br>

> > server-id none;<br>

> ><br>

> > };<br>

> ><br>

> ><br>

> > Still lookup requests  like - nslookup 10.10.2.20 127.0.0.1 are sent to<br>

> > 8.8.4.4.<br>

> ><br>

> ><br>

> ><br>

> > On Tue, Nov 22, 2016 at 4:27 PM, Tony Finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> wrote:<br>

> ><br>

> >> Sachin Patil <<a href="mailto:04sachin@gmail.com">04sachin@gmail.com</a>> wrote:<br>

> >><br>

> >> > I want to return nxdomain for any private ip reverse lookup.<br>

> >><br>

> >> BIND does this by default. Look for "built-in empty zones" in<br>

> >> <a href="https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html" rel="noreferrer" target="_blank">https://ftp.isc.org/isc/bind9/<wbr>cur/9.11/doc/arm/Bv9ARM.ch06.<wbr>html</a><br>

> >><br>

> >> Tony.<br>

> >> --<br>

> >> f.anthony.n.finch  <<a href="mailto:dot@dotat.at">dot@dotat.at</a>>  <a href="http://dotat.at/" rel="noreferrer" target="_blank">http://dotat.at/</a>  -  I xn--zr8h<br>

> >> punycode<br>

> >> Southeast Iceland: Northerly 4 or 5, becoming variable 3 or 4. Rough<br>

> >> becoming<br>

> >> moderate. Wintry showers. Good, occasionally moderate.<br>

> >><br>

> ><br>

> ><br>

><br>

> --94eb2c07e998dce6290541f2192e<br>

> Content-Type: text/html; charset=UTF-8<br>

> Content-Transfer-Encoding: quoted-printable<br>

><br>

> <div dir=3D"ltr">Sending this to bind list ... had only sent to Tony by mis=<br>

> take.. !!</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On=<br>

>  Tue, Nov 22, 2016 at 5:45 PM, Sachin Patil <span dir=3D"ltr">&lt;<a href=<br>

> =3D"mailto:<a href="mailto:04sachin@gmail.com">04sachin@gmail.com</a>" target=3D"_blank"><a href="mailto:04sachin@gmail.com">04sachin@<wbr>gmail.com</a></a>&gt;=<br>

> </span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .=<br>

> 8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr">Hello Ton=<br>

> y,<div>Thank you very much for the reply.</div><div><br></div><<wbr>div>I have c=<br>

> onfigured bind in forward mode.</div><div>My conf file looks like -=C2=A0</=<br>

> div><div><br></div><div><br>

><br>

><br>

><br>

><br>

><br>

><br>

><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1">options {</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>directory &quot;/var/cache/named&quot;;<<wbr>/span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>pid-file &quot;/var/run/named/named.<wbr>pid&quot;;</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>recursion yes;</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>allow-recursion { any; };</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p2"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"></span><br></<wbr>p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>forwarders {</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span"><br>

>       </span>=<br>

> <span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">   </span>8.8.8.8;<br>

> =<br>

> </span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span"><br>

>       </span>=<br>

> <span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">   </span>8.8.4.4;<br>

> =<br>

> </span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>};</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>forward only;</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>empty-zones-enable yes;</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p2"><wbr>dnssec-enable yes;</p><p class=<br>

> =3D"m_-<wbr>6098983245031569182gmail-p2"><wbr>dnssec-validation yes;</p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p2"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"></span><br></<wbr>p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>auth-nxdomain no;=C2=A0 =C2=A0 # conform to RFC1035</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1"><span class=3D"m_-<wbr>6098983245031569182gmail-<wbr>Apple-tab-span">=<br>

>       </span>listen-on-v6 { any; };</span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p2"><wbr>server-id none;<br><span class=<br>

> =3D"m_-<wbr>6098983245031569182gmail-s1"><<wbr>/span></p><br>

> <p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>span class=3D"m_-6098983245031=<br>

> 569182gmail-s1">};</span></p><<wbr>p class=3D"m_-<wbr>6098983245031569182gmail-p1"><<wbr>s=<br>

> pan class=3D"m_-<wbr>6098983245031569182gmail-s1"><<wbr>br></span></p><p class=3D"m_-=<br>

> 6098983245031569182gmail-p1"><<wbr>span class=3D"m_-<wbr>6098983245031569182gmail-s1"=<br>

> >Still lookup requests =C2=A0like -=C2=A0</span><span style=3D"font-variant=<br>

> -ligatures:no-common-<wbr>ligatures;font-family:menlo;<wbr>font-size:14px">nslookup 1=<br>

> 0.10.2.20 127.0.0.1 are sent to 8.8.4.4.</span></p><p class=3D"m_-609898324=<br>

> 5031569182gmail-p1"><span style=3D"font-variant-<wbr>ligatures:no-common-ligatur=<br>

> es;font-family:menlo;font-<wbr>size:14px">=C2=A0</span></p><br>

><br>

><br>

><br>

><br>

><br>

><br>

><br>

> </div></div><div class=3D"HOEnZb"><div class=3D"h5"><div class=3D"gmail_ext=<br>

> ra"><br><div class=3D"gmail_quote">On Tue, Nov 22, 2016 at 4:27 PM, Tony Fi=<br>

> nch <span dir=3D"ltr">&lt;<a href=3D"mailto:<a href="mailto:dot@dotat.at">dot@dotat.at</a>" target=3D"_blank"=<br>

> ><a href="mailto:dot@dotat.at">dot@dotat.at</a></a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" st=<br>

> yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span=<br>

> >Sachin Patil &lt;<a href=3D"mailto:<a href="mailto:04sachin@gmail.com">04sachin@gmail.<wbr>com</a>" target=3D"_blank">0=<br>

> <a href="mailto:4sachin@gmail.com">4sachin@gmail.com</a></a>&gt; wrote:<br><br>

> <br><br>

> &gt; I want to return nxdomain for any private ip reverse lookup.<br><br>

> <br><br>

> </span>BIND does this by default. Look for &quot;built-in empty zones&quot;=<br>

>  in<br><br>

> <a href=3D"<a href="https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html" rel="noreferrer" target="_blank">https://ftp.isc.org/<wbr>isc/bind9/cur/9.11/doc/arm/<wbr>Bv9ARM.ch06.html</a>"=<br>

>  rel=3D"noreferrer" target=3D"_blank"><a href="https://ftp.isc.org/isc/bind9/" rel="noreferrer" target="_blank">https://ftp.<wbr>isc.org/isc/bind9/</a><wbr>cu=<br>

> r/9.11/doc/arm/Bv9ARM.ch06.h<<wbr>wbr>tml</a><br><br>

> <span class=3D"m_-<wbr>6098983245031569182HOEnZb"><<wbr>font color=3D"#888888"><br><br>

> Tony.<br><br>

> --<br><br>

> f.anthony.n.finch=C2=A0 &lt;<a href=3D"mailto:<a href="mailto:dot@dotat.at">dot@dotat.at</a>" target=3D"_blan=<br>

> k"><a href="mailto:dot@dotat.at">dot@dotat.at</a></a>&gt;=C2=A0 <a href=3D"<a href="http://dotat.at/" rel="noreferrer" target="_blank">http://dotat.at/</a>" rel=3D"noreferre=<br>

> r" target=3D"_blank"><a href="http://dotat.at/" rel="noreferrer" target="_blank">http://<wbr>dotat.at/</a></a>=C2=A0 -=C2=A0 I xn--zr8h punycode=<br>

> <br><br>

> Southeast Iceland: Northerly 4 or 5, becoming variable 3 or 4. Rough becomi=<br>

> ng<br><br>

> moderate. Wintry showers. Good, occasionally moderate.<br><br>

> </font></span></blockquote></<wbr>div><br></div><br>

> </div></div></blockquote></<wbr>div><br></div><br>

><br>

> --<wbr>94eb2c07e998dce6290541f2192e--<br>

><br>

> --===============<wbr>4737655251929363984==<br>

> Content-Type: text/plain; charset="us-ascii"<br>

> MIME-Version: 1.0<br>

> Content-Transfer-Encoding: 7bit<br>

> Content-Disposition: inline<br>

><br>

> ______________________________<wbr>_________________<br>

> Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe<br>

>  from this list<br>

><br>

> bind-users mailing list<br>

> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>

> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br>

> --===============<wbr>4737655251929363984==--<br>

<span class="HOEnZb"><font color="#888888">--<br>

Mark Andrews, ISC<br>

1 Seymour St., Dundas Valley, NSW 2117, Australia<br>

PHONE: +61 2 9871 4742                 INTERNET: <a href="mailto:marka@isc.org">marka@isc.org</a><br>

</font></span></blockquote></div><br></div>