Home / server / Questions / 347295
Accepted
JohnnyFromBF
Asked: 2012-01-07 05:26:13 +0800 CST

How to configure bind9 to be a local DNS only with no internet access?

  • 772

I want to configure bind9 to be a local DNS only with no internet access at all. So I have 5 PCs in my virtual domain xy.com. Within this domain there is no access to the internet.

The DNS server has entries like:

  • pc1.xy.com IN A 10.1.1.1
  • pc2.xy.com IN A 10.1.1.2
  • .
  • .
  • pc5.xy.com IN A 10.1.1.5

Bind is configured correctly but when I do a "dig @localhost pc1" on the DNS server it does not work because he gets stuck contacting the root servers. But I only want him to be local and to answer which IP pc1 has.

How can I achieve this?

domain-name-system internet bind reverse-dns local-area-network

3 Answers

  1. Best Answer

    To achieve this you need to create a fake root zone to replace the "root.hints" zone that's normally configured.

    In named.conf put this:

    zone "." IN {
        type master;
        file "fake.root";
};

    and in fake.root put this:

    $TTL    300
.               IN      SOA ns. hostmaster.xy.com. (
                        20120101 1800 900 604800 86400
                )
.               IN      NS      ns
ns              IN      A       127.0.0.1

    This will prevent all attempts to access the internet to obtain the real root hints.

    You can also put your pcN.xy.com entries directly into that root zone, too - there's no need for them to be in their own xy.com zone file, so you can just append the following to fake.root:

    $ORIGIN xy.com.
pc1             IN      A       10.1.1.1
pc2             IN      A       10.1.1.2
pc3             IN      A       10.1.1.3
pc4             IN      A       10.1.1.4
pc5             IN      A       10.1.1.5

    Apart from any options { } that you may need (ACLs?) that's it - nothing else required.

    • 9

  2. You need to disable recursion:

    Add to the config:

    allow-transfer {“none”;};

    allow-recursion {“none”;};

    My config "named.conf" looks like this (on RHEL system):

    options {
        allow-query {
        any;
};
allow-recursion {
        none;
};
    • 4

  3. You did not describe your configuration in enough detail. I think you are missing the authoritative part. You need to have a block like this in your config files:

    zone "domain.lan" {
        type master;
        file "master/db.domain.lan";
        allow-update { none; };
};

    where master/db.domain.lan should point to the zone file which should contain the records you posted above. Also, the zone file should have SOA (start of authority) record in its header. The zone file should like like:

    domain.lan.     86400   IN SOA  dns.domain.lan. root.dns.domain.lan. ( 1 10800 3600 6044800 86400 )
                86400   IN NS   dns.domain.lan.

dns.domain.lan.      86400   IN   A    10.10.10.1
pc.domain.lan.    86400   IN   A    10.10.10.2

    You can customize the names/values/IPs according to your needs.

    • 2