Lee, Jeffrey, David, Thank you for your replies.
Their is much about DNS and networking that I have yet to learn. My knowledge is usually enough to set up working systems that [hopefully] do not collide with other systems, but not enough to understand further details or to full understand if what I do is correct as in industry standard, or how to do it better. Your responses has given me more details to study. Do you know if there is a good place to post Bind9 DNS server configuration questions to? I desire to set up an isolated-from-the-Internet environment to test DMARC and DNSSEC protected email systems, hence I want to replicate the Internet's DNS system, or to put it, configure a TLD nameservers for Chain of Trust in my Isolated network that is not able to reach the ICANN's real TLD nameservers. https://www.neatcode.org/dns/ Chain of Trust: DNSSEC establishes a chain of trust from the root zone (represented by the “.” at the top of the DNS hierarchy) down to the individual domain. I guess the correct thing would be to purchase a domain name just for testing, and then I could test as I wanted, but then I would need hosting of the domain name that also supports DNSSEC (more expense). Though this also takes away some of the configuration from me, and hence a reduction in understanding of how it works. https://www.cloudflare.com/en-au/learning/dns/dns-records/dns-dmarc-record/ Domain-based Message Authentication Reporting and Conformance (DMARC) is a method of authenticating email messages. A DMARC policy tells a receiving email server what to do after checking a domain's Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records, which are additional email authentication methods. On Friday, 02-08-2024 at 11:15 Lee wrote: > On Thu, Aug 1, 2024 at 7:41 PM George at Clug wrote: > > > > On Friday, 02-08-2024 at 00:48 David Wright wrote: > > > On Thu 01 Aug 2024 at 10:32:27 (-0400), Greg Wooledge wrote: > > > > On Thu, Aug 01, 2024 at 14:30:05 +0000, fxkl4...@protonmail.com wrote: > > > > > my nsswitch.conf is "hosts: files mdns4_minimal [NOTFOUND=return] dns" > > > > > i don't remenber changing it in the past few decades > > > > > i recently had a situation that made me question the ordering > > > > > my dns server is my primary router > > > > > should dns be first > > > > > > > > It would be *extremely* unusual to want to consult DNS before > > > > /etc/hosts. > > > > I recommend leaving files first unless you have a *really* good reason > > > > to switch them. > > > > > > > > I have no comment on mdns4_minimal because I don't really know what that > > > > is. > > > > > > AIUI mdns4_minimal is for devices that configure themselves using > > > multicast DNS on .local. If you put dns first, then the names of any > > > .local devices will be leaked out of your LAN and on to the Internet's > > > DNS servers. [NOTFOUND=return] is what prevent that happening IF you > > > leave the order alone. > > > > > (BTW don't use .local for your LAN domain name.) > > > > Why is that? (recently I was starting to believe I should stop using the > > domain names I had chosen, and start using (what I thought was) the > > standard of .local) > > Because .local is used for names that can be resolved by multicast > DNS. See the wikipedia article > https://en.wikipedia.org/wiki/.local > > > Is it your personal preference, or a technical necessity? > > to quote from wikipedia Yes, due to past work experience, this was my understanding... https://en.wikipedia.org/wiki/.local Microsoft TechNet article 708159[7] suggested .local for the exact opposite reason: Using the .local label for the full DNS name for the internal domain is a more secure configuration because the .local label is not registered for use on the Internet. This separates your internal domain from your public Internet domain name. By default, a freshly installed Windows Server 2016 Essentials also adds .local as the default dns-prefix when a user doesn't select the advanced option, resulting in a domain with .local extension. https://www.ietf.org/rfc/rfc6762.txt This document specifies that the DNS top-level domain ".local." is a special domain with special semantics, namely that any fully qualified name ending in ".local." is link-local, and names within this domain are meaningful only on the link where they originate. https://www.icann.org/en/board-activities-and-meetings/materials/approved-board-resolutions-regular-meeting-of-the-icann-board-04-02-2018-en#2.c However, the New gTLD Program has brought renewed attention to this issue of queries for undelegated TLDs at the root level of the DNS because certain applied-for new TLD strings could be identical to name labels used in private networks (i.e., .HOME, .CORP, and .MAIL). > Linux distributions use the Name Service Switch configuration file > /etc/nsswitch.conf[9] in which mDNS name resolution was > added via the mdns4_minimal plugin to nsswitch. In this > configuration, where mdns4_minimal precedes the standard dns option, > which uses /etc/resolv.conf, the mDNS resolution will block > subsequent DNS resolution on the local network. > > > What is best practice for a local LAN prefix? (I have never found > > conclusive instruction). > > home.arpa > see https://www.rfc-editor.org/rfc/rfc8375.html A fairly straight forward statement in this RFC, just not sure if I could get used to using .arpa as a suffix. But seems like a great choice? > > > It is my belief that .local is a MS idea originating from the configuration > > of their servers. Is this correct? > > again, quoting from the .local wikipedia article > Microsoft TechNet article 708159[7] suggested .local ... > but later recommended against it https://en.wikipedia.org/wiki/.local If you have *Macintosh client computers* that are running the Macintosh OS X version 10.3 operating system or later, ... it is recommended that you do not use the .local label for the full DNS name of your internal domain. > > Regards, > Lee >
