6

I'm trying to wrap my head around the wonderful world on DNS.

I have created a zone file for example.com which contains:

@     A    1.2.3.4
*     A    1.2.3.4

However I am also setting up my local DNS, local.example.com which I have created a separate zone file for containing the following:

machine1     A    192.168.0.1
machine2     A    192.168.0.2

When I dig machine1.local.example.com it returns A record 192.168.0.1, great.

Sadly, badmachine.local.example.com returns 1.2.3.4, as does local.example.com.

I'm not sure of the best way to prevent this. If I add the following to the local.example.com empty A records are returned for the above 2 examples as is the behaviour I desire:

@     A
*     A

I want anything.example.com to use the wildcard EXCEPT anything in the local.example.com subdomain which I do not want to give a response unless specified. Essentially I need a wild card with one exclusion.

Is this allowed? Is this best practice, or am I doing things terribly wrong? I'm using PowerDNS with BIND backend.

Thanks for your thoughts!

MadHatter
  • 79,770
  • 20
  • 184
  • 232
John
  • 113
  • 1
  • 2
  • 4

4 Answers4

5

Firstly, your comment to Chris S above clarifies (indeed, modifies) your original question considerably, and I hope you'll forgive me editing it into your original question.

Secondly, null records aren't permitted, as others have noted.

Thirdly, I think the way to do what you want is to declare local.example.com to be a proper subdomain:

local                       IN      NS      ns1.example.com
local                       IN      NS      ns2.example.com

listing the same two nameservers as you currently run for example.com (note: I don't know PowerDNS,so my entries above are in BIND format). Then on those nameservers (which I presume is this nameserver) you declare a zonefile for local.example.com which contains only the hosts you want to resolve, and no wildcard record.

So when people look up foo.example.com, assuming that's not listed, it'll match the existing wildcard record, and return 1.2.3.4 (or whatever). But when people look up foo.local.example.com, the nameserver records for local.example.com will be returned and a further recursion will take place, with your nameserver now looking at the zonefile for local.example.com, and saying (in the absence of a specific record for foo and a wildcard in local.example.com) "no, there is no such record".

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • I tried that, however the subdomain itself is on the same name server, so it just seems to redirect back to itself. Here is my bind-style configuration of zones: 
    zone "local.example.com" IN {
        type master;
        file "local.example.com.zone";
};
zone "example.com" IN {
        type master;
        file "example.com.zone";
};
    Given blank A records seem to be working (despite being technically invalid, is it worth worrying about?), especially given that it's only for local dns records which will be irrelevant to anyone querying externally.     – John Dec 21 '10 at 17:32
1

It would be useful to know exactly what responses you are after. The first two lines quoted in your question set the default response for the domain, and unmatched record response as well. Hence example.com will be serviced by the "@" record, and anything-that-doesnt-exist.exmaple.com will be serviced by the "*" record. They aren't necessary, you can get rid of both. Setting them to blank values is an invalid configuration (on most systems).

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • Well, I do have additional example.com subdomains, I just condensed them out here. I want anything.example.com to use the wildcard EXCEPT anything in the local.example.com subdomain which I do not want to give a response unless specified. Essentially I need a wild card with one exclusion. Thanks for your input. – John Dec 21 '10 at 16:17
1

I can't think of a way to "null" an entry. Empty A records are not permitted.

Perhaps *.example.com A 1.2.3.4 would prevent override of the .local.example.com entries? It sounds like PowerDNS is misbehaving from spec. Having local.example.com domain defined should prevent the wildcard from stomping on anything in that domain. Can you post full zone files? That would resolve a number of small questions.

Jeff Ferland
  • 20,547
  • 2
  • 62
  • 85
  • Yes, searching the net, I can't find any information at all pertaining to 'null'-ing dns records, which I'm incredibly surprised about. I tried *.example.com. and it made no difference, it's surely technically identical to just * and local.example.com still falls under it. – John Dec 21 '10 at 17:35
  • On posting full zone files, they've changed so much as I've tried different configurations I wouldn't know what to put! I think I've provided the essentials, are there any specific records? – John Dec 21 '10 at 17:36
  • No, nothing specific. I was seeking to find something that would be answered by a question which I may not ask. One curiosity is whether that wildcard record is also copied in the .local.example.com file. Can you try putting the wildcard entry at the bottom of the zone file? The placement shouldn't matter, but I don't have a lot of ideas for that one right now. I'm pretty sure BIND server doesn't behave in this manner, so I'm included to blame PowerDNS. – Jeff Ferland Dec 21 '10 at 17:55
1

You should look at the specific behavior of the server you are running, because this feature has not been implemented consistently:

To quote from RFC 4592, many DNS implementations diverge, in different ways, from the original definition of wildcards.

Wildcards in practice

What you want the wildcard entry to do is correct, as I understand the definition of the wildcard usage (better to think of it as a default value of last resort). I will try to find time to read the clarifying RFC and update here...

benc
  • 683
  • 1
  • 5
  • 13