On 5/20/2013 11:36 AM, Chris Buxton wrote:
On May 20, 2013, at 12:51 AM, Narcis Garcia <informat...@actiu.net> wrote:
- Yes, I thought about not using DNS from the same internet provider,
but wanted to know if there is a way to patch only the .local response.
- This is the configuration I use in one of the LANs:
view "local-nets" {
match-clients { acl_local-nets; };
recursion yes;
forwarders {
62.151.2.8;
};
include "/etc/bind/named.conf.default-zones";
}
- These are the tests to be done from a client:
$ host -t SOA local.
$ host -t SOA local. 62.151.2.8
- I've tried to create an empty zone, or lacking of A or SOA records,
but then BIND9 doesn't load it:
zone local/IN: has 0 SOA records
zone local/IN: has no NS records
zone local/IN: not loaded due to errors.
- I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
But I'm not sure if it's useful for SOA records.
For the time being, .local is not delegated from the root. So just not using
your ISP's resolvers will do what you want -- recurse directly to the Internet.
There is no way to create an empty .local zone that won't have even an SOA
record. I'm not sure if you could do this via RPZ -- probably -- but why bother
when you could just remove your ISP's servers from the equation?
I'm not a big fan of solutions that bombard the root servers with "junk"
traffic. According to the Wikipedia entry for ".local",
l.root-servers.net is already getting hit with about 2300 qps for
".local" names (thus 4th behind .com, .net and .org). Let's not add to that.
This is fairly trivial to deal with via RPZ:
local CNAME . ; for the apex
*.local CNAME . ; for everything else
Full disclosure: I'd love to implement this myself, but
a) my strategic product for DNS resolution charges extra for the RPZ
functionality, and
b) my biggest business partner, having followed Microsoft's
recommendation of many years (until their recent reversal) has deployed
several "real" internal zones under the .local TLD. I can't afford to
blind myself to those.
- Kevin
P.S. Wikipedia might want to update their figures, since I just did a
query via
http://stats.l.root-servers.org/cgi-bin/dsc-grapher.pl?window=86400&plot=qtype_vs_all_tld&server=L-root
and "local" shows as third on the graph, the figure appearing closer to
2500 qps than 2300 qps.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
