[Unbound-users] Replacing /etc/hosts aliases with local-data: directive

Carsten Strotmann unbound at strotmann.de
Fri Mar 25 07:51:04 UTC 2011


On 3/24/11 9:12 PM, Steve Jenkins wrote:
>
> I can make it function with the following:
>
> local-zone: "local." static
> local-data: "jim.local.     IN A 123.456.78.910"
> local-data: "doug.local.   IN A 234.567.89.012"
> local-data: "sally.local.    IN A 345.678.90.123"
Hello Steve,

please be aware that the use of a non-registered top level domain, esp.
the top level domain ".local', can be problematic.

The problem here is that if your network is attached to the Internet,
any typo will leak out to the Internet root DNS Server system and will
cause little traffic there. Having only one system doing this is not a
big problem, but in total most of the traffic going to the root DNS
Server system is such bogus traffic that should be avoided (there is
also a security aspect in having private data leaking to the public
Internet).

This graph at
http://dns.icann.org/cgi-bin/dsc-grapher.pl?window=86400&plot=qtype_vs_invalid_tld&server=L-root
shows all the invalid TLD queries going to one of the root name servers
(l.root-server.net).

You see '.local' is very high in that list. The reason for this is that
the '.local' TLD is used for a service called 'MulticastDNS'
(http://www.multicastdns.org/). Multicast DNS is know as
'Bonjour/Rendezvous' on Apple MacOS X systems, and Avahi on
Linux/Solaris and the BSD Unixes. It is also build into some hardware,
such as Axis network cameras, Roku SoundBridges, TiVo PVR. It can also
be installed on Windows systems.

On these machines, any name lookup for a domain name will not send to
the DNS system (the Unbound resolver) but will be resolved by the
operating system using multicast DNS.

So your use of '.local' will not work on these system.

A much 'standard compliant' way would be to use a full DNS name in
Unbound. If your official DNS domain is 'example.com', your can use in
the Unbound configuration:

local-zone: "example.com." static
local-data: "jim.example.com. IN A 123.456.78.910"
local-data: "doug.example.com. IN A 234.567.89.012"
local-data: "sally.example.com. IN A 345.678.90.123"

and then use the same trick Arni has suggested in the 'resolv.conf':

*
# cat /etc/resolv.conf
search example.com
nameserver 127.0.0.1
*
If you down own your own domain, it is better to get one (domains are
not expensive) and not to 'hijack' one (as you do not own '.local',
using that TLD withour permission is kind of hijacking it).

Best regards

Carsten



More information about the Unbound-users mailing list