Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Disable Root Hints

1,970 views
Skip to first unread message

Eric Reischer

unread,
Oct 23, 2008, 3:33:08 PM10/23/08
to
Greetings all. I have a private network that is not (and will not ever
be) connected to the Internet, but I want to set up an internal DNS
server to help navigating between machines. I've successfully set up my
domain (foo.com, let's say) root file and the server is answering
queries to it dutifully, but I want to disable fallover to the
root-servers in the event the local server cannot resolve a name (since
they'll never be reachable). However it seems that newer versions of
BIND9 actually have the root servers primed in the program at
compile-time, irrespective of the root hints file.

My question is, will it be sufficient to create a new root hints file
that has [A-M].ROOT-SERVERS.NET all defined as 192.168.0.2 (my BIND9
server's address), or will some other method be more prudent? Will this
create a circular reference? My goal is to have the server return an
NXDOMAIN rather than a SERVFAIL on a query to a host that isn't in the
local table. The other thought I had was to create zone files for
"com", "net", "edu", etc, and have them all empty.

Thanks.


Florian Weimer

unread,
Oct 23, 2008, 3:40:30 PM10/23/08
to
* Eric Reischer:

> My question is, will it be sufficient to create a new root hints file
> that has [A-M].ROOT-SERVERS.NET all defined as 192.168.0.2 (my BIND9
> server's address), or will some other method be more prudent? Will this
> create a circular reference? My goal is to have the server return an
> NXDOMAIN rather than a SERVFAIL on a query to a host that isn't in the
> local table. The other thought I had was to create zone files for
> "com", "net", "edu", etc, and have them all empty.

You could disable recursion altogether and just serve your local zones
authoritatively.

Chris Buxton

unread,
Oct 23, 2008, 4:14:50 PM10/23/08
to
On Oct 23, 2008, at 12:33 PM, Eric Reischer wrote:

> Greetings all. I have a private network that is not (and will not
> ever
> be) connected to the Internet, but I want to set up an internal DNS
> server to help navigating between machines. I've successfully set
> up my
> domain (foo.com, let's say) root file and the server is answering
> queries to it dutifully, but I want to disable fallover to the
> root-servers in the event the local server cannot resolve a name
> (since
> they'll never be reachable). However it seems that newer versions of
> BIND9 actually have the root servers primed in the program at
> compile-time, irrespective of the root hints file.
>

> My question is, will it be sufficient to create a new root hints file
> that has [A-M].ROOT-SERVERS.NET all defined as 192.168.0.2 (my BIND9
> server's address), or will some other method be more prudent? Will
> this
> create a circular reference? My goal is to have the server return an
> NXDOMAIN rather than a SERVFAIL on a query to a host that isn't in the
> local table. The other thought I had was to create zone files for
> "com", "net", "edu", etc, and have them all empty.
>

> Thanks.

Set up a private root zone. There is no need to list all of the names
of the public root servers. Just create a root zone that delegates
your private domain name, like this:

$TTL 1d
. SOA [put the 7 SOA data fields here]
NS your.server.foo.com.
foo.com. NS your.server.foo.com.

Chris Buxton
Professional Services
Men & Mice


blrmaani

unread,
Oct 27, 2008, 12:13:32 PM10/27/08
to
I guess forwarding queries in root zone (.) also work. But I don't
know if this causes any other side effects.

// Recursion should be enabled before adding the block below:

zone "." {
type forward;
forward only;
forwarders { <your internal ips>; };
};

cheers
Blr

> Men & Mice- Hide quoted text -
>
> - Show quoted text -


Barry Margolin

unread,
Oct 27, 2008, 8:24:42 PM10/27/08
to
In article <ge4pmk$17vq$1...@sf1.isc.org>, blrmaani <blrm...@gmail.com>
wrote:

> I guess forwarding queries in root zone (.) also work. But I don't
> know if this causes any other side effects.
>
> // Recursion should be enabled before adding the block below:
>
> zone "." {
> type forward;
> forward only;
> forwarders { <your internal ips>; };
> };

Isn't this equivalent to configuring forwarding in the options section?

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

Chris Buxton

unread,
Oct 28, 2008, 12:39:05 AM10/28/08
to
On Oct 27, 2008, at 5:24 PM, Barry Margolin wrote:

> In article <ge4pmk$17vq$1...@sf1.isc.org>, blrmaani <blrm...@gmail.com>
> wrote:
>

>> I guess forwarding queries in root zone (.) also work. But I don't
>> know if this causes any other side effects.
>>
>> // Recursion should be enabled before adding the block below:
>>
>> zone "." {
>> type forward;
>> forward only;
>> forwarders { <your internal ips>; };
>> };
>

> Isn't this equivalent to configuring forwarding in the options
> section?

Yes it is.

D. Stussy

unread,
Oct 28, 2008, 5:28:36 PM10/28/08
to
"Barry Margolin" <bar...@alum.mit.edu> wrote in message
news:ge5mfu$21j3$1...@sf1.isc.org...

> In article <ge4pmk$17vq$1...@sf1.isc.org>, blrmaani <blrm...@gmail.com>
> wrote:
>
> > I guess forwarding queries in root zone (.) also work. But I don't
> > know if this causes any other side effects.
> >
> > // Recursion should be enabled before adding the block below:
> >
> > zone "." {
> > type forward;
> > forward only;
> > forwarders { <your internal ips>; };
> > };
>
> Isn't this equivalent to configuring forwarding in the options section?

Technically no. It will direct queries that start from the top-down, but
will not direct queries to the forwarders for any other specifically defined
zone. So what's the difference? Stub zones. I assume that master and
slave zones would be answered directly.

0 new messages