<div dir="ltr"><div>Hi.</div><div>1a correct</div><div>1b no because you have disabled recursion</div><div>1c OK But as I said, if you also have "forward only;" (recommended) it won't try to recurse, so hints are irrelevant.</div><div><br></div><div>2 Your choice. Use packet captures to see what queries CS is receiving and deal with them appropriately. Tuning must be your job as no-one else knows your environment.</div><div><br></div><div>Cheers, Greg</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Fri, 8 Aug 2025 at 07:41, Renzo Marengo <<a href="mailto:buckroger2011@gmail.com">buckroger2011@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi Greg,</div><div>Thanks for your help.</div><div><br></div><div>1) Just so I'm clear, if I made this configuration:</div><div> global forwarding DISABLED</div><div> zone "." MISSING </div><div> recursion ENABLE</div><div><br></div><div> a- server would contact root servers because hints are bulti-in, right ?</div><div> b- with same configuration with recursion DISABLED, server would contact root servers ?</div><div></div><div> c- in CS (cache server) is enabled both recursion and global forwarding , I will comment out reference of zone "." in named.conf leaving existing zone file.</div><div><br></div><div></div><div>2) Z server is "black box", I don't know its content.</div><div> AD domain controllers forward requests for external domain to CS server. If I wanted to keep built-in zones, in
named.rfc1912.zones file I should to add
"127.in-addr.arpa" and "255.in-addr.arpa" zones ?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno gio 7 ago 2025 alle ore 14:24 Greg Choules <<a href="mailto:gregchoules%2Bbindusers@googlemail.com" target="_blank">gregchoules+bindusers@googlemail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi again, Renzo.</div><div><br></div><div>1) Regarding root hints, the explicit hint zone has not been necessary in BIND for many years as the hints are built-in. This applies if your resolver is doing recursion. But if you are doing global forwarding - with "forward only;" as well - then "zone "." {" is pointless anyway. So either way, you can remove it.</div><div><br></div><div>2) BIND has a list of built-in empty zones that are for names that should not reach the Internet: reserved names and addresses. I think you do not need explicit zones on the box you call CS as either they are built-in already or the box called Z will have them anyway. But use tcpdump to monitor traffic between CS and Z and decide whether you need anything more, or less in your config.</div><div><br></div><div>Also, please look at 9.20.11 as I suggested last time.</div><div><br></div><div>Hope that helps.</div><div>Cheers, Greg</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 7 Aug 2025 at 13:06, Renzo Marengo <<a href="mailto:buckroger2011@gmail.com" target="_blank">buckroger2011@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I'm replacing Caching and Forwarding DNS server (called CS) in Bind 9.16.23 which forwards all client queries to specific server Z.</div><div><br></div><div>My doubts:</div><div><br></div><div>1)</div><div>This CS server doesn't use root server so I can delete in named.conf this section ?</div><div></div><div>zone "." IN {<br> type hint;<br> file "<a href="http://named.ca" target="_blank">named.ca</a>";<br>};</div><div><br></div><div><br></div><div>2)</div><div>the original named.rfc1912.zones file contains these zones:</div><div></div><div>-------------------------------------------------</div><div></div><div>zone "localhost.localdomain" IN {<br> type master;<br> file "named.localhost";<br> allow-update { none; };<br>};<br><br>zone "localhost" IN {<br> type master;<br> file "named.localhost";<br> allow-update { none; };<br>};<br><br>zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {<br> type master;<br> file "named.loopback";<br> allow-update { none; };<br>};<br><br>zone "1.0.0.127.in-addr.arpa" IN {<br> type master;<br> file "named.loopback";<br> allow-update { none; };<br>};<br><br>zone "0.in-addr.arpa" IN {<br> type master;<br> file "named.empty";<br> allow-update { none; };<br>};</div><div>
<div>-------------------------------------------------</div>
<br></div><div><br></div><div><br></div><div>My old file contains the same entries, excluded zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa, and It includes the followind extra ones:</div><div></div><div><br></div><div>zone "127.in-addr.arpa" {<br> type master;<br> file "db.127";<br>};<br>zone "255.in-addr.arpa" {<br> type master;<br> file "db.255";<br>};</div><div><br></div><div>file db.255<br>$TTL 604800<br>@ IN SOA localhost. root.localhost. (<br> 1 ; Serial<br> 604800 ; Refresh<br> 86400 ; Retry<br> 2419200 ; Expire<br> 604800 ) ; Negative Cache TTL<br>;<br>@ IN NS localhost.</div><div><br></div><div><br></div><div>file db.127<br>$TTL 604800<br>@ IN SOA localhost. root.localhost. (<br> 1 ; Serial<br> 604800 ; Refresh<br> 86400 ; Retry<br> 2419200 ; Expire<br> 604800 ) ; Negative Cache TTL<br>;<br>@ IN NS localhost.<br>1.0.0 IN PTR localhost.<br><br></div><div></div><div></div><div></div><div>What do you think ?</div><div>I can delete both "127.in-addr.arpa" and "255.in-addr.arpa"zones ?</div><div>And about
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa zone ? I have t keep it ?</div><div><br></div><div>Thanks</div><div><br></div><div><br></div><div><br></div></div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>