Unable to make NS queries against bind with catchall configuration

Question

I've configured bind to catch all domains and return the same ip (A record) for them. This is for a domain parking service where there might be thousands of domains involved.

After pointing the nameservers for example.com to my nameservers, I correctly get shown the parked hosting page.

The only issue is that nameserver lookups aren't working. If I dig NS example.com I just get the SOA details back, instead of the NS names. Although dig example.com does return the correct A record.

I've spent hours trying various things, would really appreciate help on this one.

The configuration for it:

named.conf.local:

zone "." {
    type master;
    file "/etc/bind/zones/db.catchall";
};

db.catchall:

$TTL    604800
@   IN  SOA ns1.mynameserver.com. hostmaster.mynameserver.com. (
             26     ; Serial
         604800     ; Refresh
          86400     ; Retry
        2419200     ; Expire
         604800 )   ; Negative Cache TTL

    IN  NS  ip.addr.for.ns1
    IN  NS  ip.addr.for.ns2 

*   IN  A   ip.addr.for.hosting

Look at bind RPZ feature, this is a better match from what you are attempting to do. — Patrick Mevzek, Jul 20 '19 at 20:31
The data part of a `NS` record is a name, not an IP address. — Patrick Mevzek, Jul 20 '19 at 20:32

score 0 · Answer 1 · answered Jul 20 '19 at 17:49

The observed behavior is expected and correct for what you have configured.
Ie, you have a nameserver that claims to be authoritative for the root zone, and which has a wildcard A record that will match anything below. It does not have NS records other than for the root zone.

However, what you have configured is not actually correct for a server that is supposed to be authoritative for lots of different zones. If example.com is delegated to your nameserver, your nameserver is supposed to have this particular zone (with at least SOA and NS at the apex of the zone), not only some parent zone (like .).
Things that will be wrong with this configuration include responses to queries for NS (ie, it will claim that there are no nameservers for example.com) as well as all negative responses (negative responses will have SOA for the wrong zone).

If you want to do this thing with as correct behavior as possible, but without specifying all the zones (which would be best for correctness), I think you would want to look into some highly scriptable nameserver software that can answer as if it had the relevant zones matching some kind of patterns (maybe based on the public suffix list?).

Unable to make NS queries against bind with catchall configuration

1 Answers1