View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Binding
Log in to Ask a Question

Binding

networking

Hi,

I need some help with BIND9.

I'm going to allocate ~20 domains in a typical LAMP system (Gentoo). Most of those domains are registered via Gandi in which I can do custom DNS (A, MX, CNAME…), so I really don't need to run BIND in my system. But, I want to run BIND because 1) I want to learn it, 2) I want to use webmin --> servers --> virtualmin and it seems simpler if I use BIND, 3) running BIND lets me create some scripts to add subdomains ad-hoc, for example.

I made a glue record using Gandi's interface, so I now have ns.mydomain.net pointing to my linode IP. Gandi provides free secondary NS for me -- although that's a question for tomorrow. I think that glue record was the first step.

Now, I have bind (named) started, and I can do dig @myip linode.com and it answers.

And that is exactly my problem. I don't want people to point to my linode as their DNS server, and asks it for everything. I agree my DNS knowledgement is about zero, but I think it should be possible for my BIND to answer ONLY for the domains it hosts, and only for them.

I've started reading about BIND and I cannot find this option -- well, I really don't know the term I'm looking for. Any ideas?

Thank you!

7 Replies

I don't know the specific option myself, but I can help you with the term you want. What you want is an option that means the server only answers for domains for which it considers itself "authoritative".

Simply put, a non-authoritative domain is one which it has to check from another source (or which has been cached from another source). An authoritative one is one that it knows about itself without having to check anywhere else, which will be the case for your own DNS entries.

I think you're looking for something like this:

options {
        directory "/var/named";
        recursion no;
};

Change "/var/named" to wherever, of course. You probably already have an options section in your named.conf, and you would just need to add the recursion statement to it. Make sure your resolv.conf doesn't list localhost etc. :)

Thank you for your answers. Recursion no seems to do the trick, but when I try nslookup from Windows or dig from my linode:

> > www.terra.es

Servidor: lixx-xx.members.linode.com

Address: 70.85.xxx.xxx

Nombre: www.terra.es

Served by:

  • L.ROOT-SERVERS.NET

  • M.ROOT-SERVERS.NET

  • A.ROOT-SERVERS.NET

  • B.ROOT-SERVERS.NET

  • C.ROOT-SERVERS.NET

  • D.ROOT-SERVERS.NET

  • E.ROOT-SERVERS.NET

  • F.ROOT-SERVERS.NET

  • G.ROOT-SERVERS.NET

  • H.ROOT-SERVERS.NET

> ; <<>> DiG 9.2.5 <<>> @localhost www.terra.es

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16071

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:

;www.terra.es. IN A

;; AUTHORITY SECTION:

. 3600000 IN NS D.ROOT-SERVERS.NET.

. 3600000 IN NS E.ROOT-SERVERS.NET.

. 3600000 IN NS F.ROOT-SERVERS.NET.

. 3600000 IN NS G.ROOT-SERVERS.NET.

. 3600000 IN NS H.ROOT-SERVERS.NET.

. 3600000 IN NS I.ROOT-SERVERS.NET.

. 3600000 IN NS J.ROOT-SERVERS.NET.

. 3600000 IN NS K.ROOT-SERVERS.NET.

. 3600000 IN NS L.ROOT-SERVERS.NET.

. 3600000 IN NS M.ROOT-SERVERS.NET.

. 3600000 IN NS A.ROOT-SERVERS.NET.

. 3600000 IN NS B.ROOT-SERVERS.NET.

. 3600000 IN NS C.ROOT-SERVERS.NET.

;; Query time: 17 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Thu May 19 22:59:24 2005

;; MSG SIZE rcvd: 241

It seems quite strange. I've found a way to do an "Authoritative Only DNS Server", at ~~[http://www.zytrax.com/books/dns/ch6/index.html#authoritative" target="_blank">](http://www.zytrax.com/books/dns/ch6/ind … horitative">http://www.zytrax.com/books/dns/ch6/index.html#authoritative](, and I see that the approach is the same (recursion no).

I was expecting an error message for my request, but anyway it may work for my needs.

Thank you very much!

@fernandonajer:

Hi,

And that is exactly my problem. I don't want people to point to my linode as their DNS server, and asks it for everything.

I have dns on my linode with differecnt IPs. Its unlikely that can reach anything else either.

You can configure dns so that other servers will cache even if if your dns server is down.

@fernandonajer:

Thank you for your answers. Recursion no seems to do the trick, but when I try nslookup from Windows or dig from my linode:

-snip-

It seems quite strange. I've found a way to do an "Authoritative Only DNS Server", at ~~[http://www.zytrax.com/books/dns/ch6/index.html#authoritative" target="_blank">](http://www.zytrax.com/books/dns/ch6/ind … horitative">http://www.zytrax.com/books/dns/ch6/index.html#authoritative](, and I see that the approach is the same (recursion no).

I was expecting an error message for my request, but anyway it may work for my needs.

Thank you very much!

Yeah, you won't get an error, just the root hints. Basically your server tells the client "I don't have that information, but here's where you can start".

If you really wanted to configure it to generate errors or NXDOMAINs, I'm sure there are some config tricks you can do, but it's not going to be worth your time. :)

@NecroBones:

If you really wanted to configure it to generate errors or NXDOMAINs, I'm sure there are some config tricks you can do, but it's not going to be worth your time. :)

Ok, I'll leave it that way. I've started to host my sites with my own DNSs, I've 3 of them up and running, so I'm :D

Thank you for your help!

Try something like

options {

allow-recursion { 127.0.0.1; };

directory "/var/named";

};

This should only allow your own machine to use your DNS server for recursive lookups.

If I try to use my server to lookup other stuff (firstly for a domain it's authorative for, then for someone elses domain):

server 66.160.141.105

Default server: 66.160.141.105

Address: 66.160.141.105#53

sweh.spuddy.org

Server: 66.160.141.105

Address: 66.160.141.105#53

sweh.spuddy.org canonical name = linode.spuddy.org.

Name: linode.spuddy.org

Address: 66.160.141.105

www.linode.com

Server: 66.160.141.105

Address: 66.160.141.105#53

Non-authoritative answer:

*** Can't find www.linode.com: No answer

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct