Configure BIND to be a simple forwarder (no root-servers queries)
BIND configuration indeed does, when the forwarders are defined, send all the requests that were not satisfied by the local BIND to the forwarders.
More so, that when forward only; is used the local zones are ignored, and all requests are satisfied only from cache or by the forwarders.
If you need to have local zones (i.e. private IP addresses from RFC 1918 and a local home/office zone), for the purposes of having forwarders, you need to comment both the zone with the root hints, and the forward only; directive.
// forward only;
// zone "." {
// type hint;
// file "/etc/bind/db.root";
// };
From the DNS HowTo
But if "forward only" is set, then BIND gives up when it doesn't get a response from the forwarders, and gethostbyname() returns immediately. Hence there is no need to perform sleight-of-hand with files in /etc and restart the server.
In my case, I just added the lines
forward only; forwarders { 193.133.58.5; };
to the options { } section of my named.conf file. It works very nicely. The only disadvantage of this is that it reduces an incredibly sophisticated piece of DNS software to the status of a dumb cache.
So, if you only need a dumb cache, you can only forward requests. This is the appropriate configuration in a corporate setting when you forward requests to the central Office for instance.
As per your situation, where your forward requests to the outside, I would advise not to do blindly forward only in order not to forward DNS requests of the private IP addresses range/local DNS/Windows domains for the higher hierarchies/root name servers.
Related videos on Youtube
12 : 57
06 : 06
17 : 17
09 : 59
06 : 05
22 : 03
02 : 41
08 : 16
user3450548
Updated on September 18, 2022Comments
-
user3450548 almost 2 years
I would like to setup a simple bind server able to act as simple forwarder to the OpenDNS servers.
I don't want my bind however being able to query the root servers, i want all the traffic go only to OpenDNS and maybe act as "cache" for it.
How this can be achieved? Should i disable the root servers hints in some way? Is this the correct procedure?
My guess is to comment out the zone "." served by the root servers on named.conf.default-zones file. I read however that the non querying root servers can be achieved also by disabling the recursion, but disabling the recursion seems to lead the server not being able to take advantage of the forwarders too.. where my conf is wrong?
Conf is the following:
named.conf
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";named.conf.options
acl "trusted" { 127.0.0.1/8; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; ::1; }; options { directory "/var/cache/bind"; # bind cache directory recursion no; # enables resursive queries allow-query { trusted; } ; allow-recursion { "none"; }; additional-from-cache no; allow-transfer { none; }; # disable zone transfers by default // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forward only; forwarders { 208.67.222.222; 208.67.220.220; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; auth-nxdomain no; # conform to RFC1035 };named.conf.local
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918";named.conf.default-zones
// prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; -
Rui F Ribeiro over 8 yearsbtw, OpenDNS (and others) support encrypted forwarding. I do it at home.
-
Rui F Ribeiro over 8 yearsopen a new question and comment with my user ; that way it will documented and we wont mix up subjects/questions.
-
user3450548 over 8 yearsOk i will :) Coffee first then i will write the new question!
-
Rui F Ribeiro over 8 yearsI have seen it now...more complex than i was waiting actually. Will answer later on.