6

I want to configure bind9 to be a local DNS only with no internet access at all. So I have 5 PCs in my virtual domain xy.com. Within this domain there is no access to the internet.

The DNS server has entries like:

  • pc1.xy.com IN A 10.1.1.1
  • pc2.xy.com IN A 10.1.1.2
  • .
  • .
  • pc5.xy.com IN A 10.1.1.5

Bind is configured correctly but when I do a "dig @localhost pc1" on the DNS server it does not work because he gets stuck contacting the root servers. But I only want him to be local and to answer which IP pc1 has.

How can I achieve this?

JohnnyFromBF
  • 1,259
  • 6
  • 21
  • 25
  • 1
    In addition to the answer below, you need you actually lookup a record that's on the server. "pc1" and "pc1.xy.com" are not the same and a DNS server will not make assumptions for you. – Chris S Jan 06 '12 at 14:03
  • Ok I guess "pc1 IN CNAME pc1.xy.com." will do the job, right? – JohnnyFromBF Jan 06 '12 at 14:08
  • 1
    In a zone file, names without a trailing period will be assumed to be relative to the zone itself. So if you have a zone example.com, and records in it `www IN A 1.2.3.4` and `ftp IN A 5.6.7.8` then the FQDN version of those records is `www.example.com` and `ftp.example.com` respectively. You should not configure TLDs or records in that namespace. You should configure your clients with a domain name and search domains (if there are multiple), DHCP option 15 and 119 respectively. – Chris S Jan 06 '12 at 14:36

3 Answers3

9

To achieve this you need to create a fake root zone to replace the "root.hints" zone that's normally configured.

In named.conf put this:

zone "." IN {
        type master;
        file "fake.root";
};

and in fake.root put this:

$TTL    300
.               IN      SOA ns. hostmaster.xy.com. (
                        20120101 1800 900 604800 86400
                )
.               IN      NS      ns
ns              IN      A       127.0.0.1

This will prevent all attempts to access the internet to obtain the real root hints.

You can also put your pcN.xy.com entries directly into that root zone, too - there's no need for them to be in their own xy.com zone file, so you can just append the following to fake.root:

$ORIGIN xy.com.
pc1             IN      A       10.1.1.1
pc2             IN      A       10.1.1.2
pc3             IN      A       10.1.1.3
pc4             IN      A       10.1.1.4
pc5             IN      A       10.1.1.5

Apart from any options { } that you may need (ACLs?) that's it - nothing else required.

Alnitak
  • 21,191
  • 3
  • 52
  • 82
  • I don't think this works. At least not nowadays. Bind has root DNS hardcoded. Maybe turning recursion off will help. This will however also disable forwarders. – Marki Mar 06 '21 at 01:05
  • Yes, it works. BIND has a supplied set of root *hints* but they are not used if a "real" root zone is configured. Note that when a hints file is used, the BIND server will make an initial "priming query" to learn the current set of root servers, to allow for them being different to the compiled-in list. – Alnitak Mar 08 '21 at 12:27
  • Hi, this seems not to work for me with `BIND 9.11.5-P4-5.1+deb10u6-Debian (Extended Support Version)`. In the error log it says `managed-keys-zone: Unable to fetch DNSKEY set '.': failure`. I can create a separate question with full explanation – Julian Dimitrov Nov 25 '21 at 08:53
  • 1
    @JulianDimitrov turn off DNSSEC validation. NB: BIND 9.11 is now relatively ancient. BIND 9.11.36 is the current version of BIND 9.11-ESV but it is about to go EOL. The new ESV is based on BIND 9.16. – Alnitak Nov 28 '21 at 00:01
4

You need to disable recursion:

Add to the config:

allow-transfer {“none”;};

allow-recursion {“none”;};

My config "named.conf" looks like this (on RHEL system):

options {
        allow-query {
        any;
};
allow-recursion {
        none;
};
Tim
  • 3,017
  • 17
  • 15
  • Ok in which file do I have to put this? named.conf.options, named.conf.local or db.xy.com or db.10.10.1? – JohnnyFromBF Jan 06 '12 at 14:09
  • I added both to named.conf.options but now I don't get an answer on "dig @localhost pc1.xy.com" but the WARNING: recursion requested but not available. – JohnnyFromBF Jan 06 '12 at 14:38
  • For me it is `named.conf`, but I know what my distro is, I do not know what yours is.. – Tim Jan 06 '12 at 14:43
  • It's Debian 6. So you put both into the options section of named.conf? – JohnnyFromBF Jan 06 '12 at 14:46
  • It is declared right after "options" section. See the update to my answer. – Tim Jan 06 '12 at 16:31
  • Also, I know this isn't the answer, but this stuff is why I personally hate bind. I find "powerdns" to be a awesome alternative, and I can use various different backends, like mysql or ldap for instance. – Tim Jan 06 '12 at 16:33
  • this has _nothing_ to do with recursion, or transfers - it's all because BIND tries to download the latest real root hints whenever it starts. – Alnitak Jan 06 '12 at 23:07
2

You did not describe your configuration in enough detail. I think you are missing the authoritative part. You need to have a block like this in your config files:

zone "domain.lan" {
        type master;
        file "master/db.domain.lan";
        allow-update { none; };
};

where master/db.domain.lan should point to the zone file which should contain the records you posted above. Also, the zone file should have SOA (start of authority) record in its header. The zone file should like like:

domain.lan.     86400   IN SOA  dns.domain.lan. root.dns.domain.lan. ( 1 10800 3600 6044800 86400 )
                86400   IN NS   dns.domain.lan.

dns.domain.lan.      86400   IN   A    10.10.10.1
pc.domain.lan.    86400   IN   A    10.10.10.2

You can customize the names/values/IPs according to your needs.

Khaled
  • 36,533
  • 8
  • 72
  • 99
  • @khalid I do have a zone just like you posted it, but bind tries to ask the root servers even if I dig for pc1.xy.com and thus times out. that sucks :( – JohnnyFromBF Jan 06 '12 at 15:10