Maintained by: NLnet Labs

[Unbound-users] Replacing /etc/hosts aliases with local-data: directive

Chris Smith
Fri Mar 25 20:49:52 CET 2011


On Fri, Mar 25, 2011 at 3:51 AM, Carsten Strotmann <unbound at strotmann.de> wrote:
> please be aware that the use of a non-registered top level domain, esp.
> the top level domain ".local', can be problematic.
>
> The problem here is that if your network is attached to the Internet,
> any typo will leak out to the Internet root DNS Server system and will
> cause little traffic there. Having only one system doing this is not a
> big problem, but in total most of the traffic going to the root DNS
> Server system is such bogus traffic that should be avoided (there is
> also a security aspect in having private data leaking to the public
> Internet).
>
> This graph at
> http://dns.icann.org/cgi-bin/dsc-grapher.pl?window=86400&plot=qtype_vs_invalid_tld&server=L-root
> shows all the invalid TLD queries going to one of the root name servers
> (l.root-server.net).
>
> You see '.local' is very high in that list. The reason for this is that
> the '.local' TLD is used for a service called 'MulticastDNS'
> (http://www.multicastdns.org/). Multicast DNS is know as
> 'Bonjour/Rendezvous' on Apple MacOS X systems, and Avahi on
> Linux/Solaris and the BSD Unixes. It is also build into some hardware,
> such as Axis network cameras, Roku SoundBridges, TiVo PVR. It can also
> be installed on Windows systems.
>
> On these machines, any name lookup for a domain name will not send to
> the DNS system (the Unbound resolver) but will be resolved by the
> operating system using multicast DNS.
>
> So your use of '.local' will not work on these system.

I'm not following everything here.

I remember when my distro started incorporating mDNS and my ".local"
internal TLD, which had worked fine for years, stopped functioning
properly. I either had to change my internal TLD or disable mDNS on
the systems. The better fix was to stop using ".local" so I elected
that route.

However, the mDNS issue aside, I was under the impression that Unbound
does not recursively resolve local-data, that it is in effect
authoritative for it, much like using a stub-zone pointing to an
authoritative server such as NSD serving a private internal domain
(such as .soho, .office, .home, etc.). Therefore queries for such
domain names would not get leaked to the root servers. Or would they?
What am I missing?

Thanks,

Chris