| D. Wessels | |
| CAIDA/TMF | |
| December 20, 2002 |
Running An Authoritative-Only BIND Nameserver
isc-tn-2002-2
This memo describes a methodology in use by some network operators which may be of use to other members of the Internet technical community.
Nameservers (BIND) fulfill two functions: serving authoritative data for delegated zones, and relaying queries and responses for non-authoritative zones. In the interest of security, operators generally should not use a single nameserver for both functions. This note explains why, and how, you should configure BIND to implement these functions separately.
Copyright © 2002, 2003 ISC, Inc. All Rights Reserved. Distribution of this memo is unlimited, if full attribution is given.
BIND serves data authoritatively when you use a zone directive with type master or slave in named.conf:
zone "example.com" {
type master;
file "master/example.com";
};
Typically, BIND receives queries for authoritative zones from all over the Internet. When BIND receives a query for a name in an authoritative zone, it returns either a valid RR, or an NXDOMAIN error.
In order to improve response time and reduce network traffic, BIND also functions as a local caching nameserver. Local clients initially contact the caching nameserver, which resolves cache misses through recursion. In this case, BIND is normally configured with the root zone as type hint:
zone "." {
type hint;
file "named.root";
};
BIND serves cached data non-authoritatively.
Although BIND can provide both functions (authoritative and non-authoritative) in single instance, ISC recommends always separating these two functions. In other words, you should run one server for your authoritative zones, and another that caches non-authoritative data. Reasons include:
When you disable recursion, BIND does not contact other servers for unknown zones on the client's behalf. Instead, it either returns a referral to a server that can answer the query, or returns an error message.
To disable recursion, use the recursion no; option in named.conf. It also makes sense to disable fetch-glue when recursion is disabled:
options {
recursion no;
fetch-glue no;
};
If you have the root zone as a hint in named.conf, queries for unknown zones receive a referral to the root name servers. On the other hand, if you remove the root zone hints, clients receive a SERVFAIL error message. ISC recommends removing the root zone hints for authoritative-only nameservers.
Your named.conf file should contain a hint for the root zone, a master zone for 0.0.127.IN-ADDR.ARPA, as well as master zones for any private ([RFC1918]) addresses that you may be using:
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
zone "0.168.192.IN-ADDR.ARPA" {
type master;
file "master/192.168.0.rev";
};
zone "." {
type hint;
file "named.root";
};
This name server should only be used by your local clients. You may wish to place the server behind a firewall to prevent unauthorized access.
You may want to periodically test that your nameservers are configured as they should be. For example, your authoritative-only nameserver should return an error (SERVFAIL) for domains that don't belong to you:
% dig @127.0.0.1 example.com soa
; <<>> DiG 8.3 <<>> @127.0.0.1 example.com soa
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; example.com, type = SOA, class = IN
;; Total query time: 0 msec
;; FROM: localhost to SERVER: 127.0.0.1 127.0.0.1
;; WHEN: Fri Dec 20 09:57:08 2002
;; MSG SIZE sent: 29 rcvd: 29
Also note that ra (recursion available) is missing from the flags line.
This work partially funded by CAIDA and WIDE.
| [RFC1918] | Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996. |