Home / server / Questions / 730318
Accepted
Kladskull
Asked: 2015-10-21 09:02:44 +0800 CST

Is answering a DNS Query to "local" or "home" with no answer section correct?

  • 772

We're running a private recursive DNS (bind 9.10.3) for a small group of people outside our network to speed-up their browsing speed. I've noticed recently that our server is answering queries with ".local" or ".home" attached to some of the inbound queries as well as some queries coming in for "local" or even "home" without any other data, here is an example from our logs (1.2.3.4 is our DNS)

Oct 20 09:36:28 dns1 named[3080]: client X.X.X.X#50315 (somethingrandom.local): view someview: query: somethingrandom.local IN A + (1.2.3.4)
Oct 20 09:36:38 dns1 named[3080]: client X.X.X.X#50315 (somethingrandom.local): view someview: query: somethingrandom.home IN A + (1.2.3.4)
Oct 20 09:36:55 dns1 named[3080]: client X.X.X.X#57750 (local): view someview: query: local IN SOA + (1.2.3.4)
Oct 20 09:36:59 dns1 named[3080]: client X.X.X.X#49441 (local): view someview: query: local IN SOA + (1.2.3.4)
Oct 20 09:37:01 dns1 named[3080]: client X.X.X.X#53231 (local): view someview: query: local IN SOA + (1.2.3.4)

I did a dig to the server to see what response is being returned, and am pretty sure the response below is exactly correct, however I am not 100% sure. The dig is below, just need someone to confirm it looks the way it should - we don't want to answer anything on localhost or localnet (which is in place now).

> dig @ourdns local

Answer:

; <<>> DiG 9.10.3 <<>> @dns1 local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4495
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;local.             IN  A

;; AUTHORITY SECTION:
.           85530   IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2015102000 1800 900 604800 86400

;; Query time: 17 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Tue Oct 20 13:00:17 EDT 2015
;; MSG SIZE  rcvd: 109
domain-name-system

1 Answers

  1. Best Answer

    Yup, that's a good response - notice the NXDOMAIN status, which means it's saying "nothing there" to the client.

    Since it's a recursor, it's basing that decision on the fact that it asked the root servers for .local and the root servers responded that it doesn't exist. (Fun fact - this kind of query for an invalid TLD is a significant portion of the load on the root DNS servers, since the non-existence of the .local TLD isn't cacheable for nearly as long as existence of a real TLD is)

    • 4