Maintained by: NLnet Labs

[Unbound-users] Replacing /etc/hosts aliases with local-data: directive

Carsten Strotmann
Sat Mar 26 11:30:56 CET 2011


On 3/25/11 8:49 PM, Chris Smith wrote:
> However, the mDNS issue aside, I was under the impression that Unbound
> does not recursively resolve local-data, that it is in effect
> authoritative for it, much like using a stub-zone pointing to an
> authoritative server such as NSD serving a private internal domain
> (such as .soho, .office, .home, etc.). Therefore queries for such
> domain names would not get leaked to the root servers. Or would they?
> What am I missing?
Hello Chris,

you are right, if these queries would only go towards a carefully
configured resolving DNS Server that terminates this local domain, the
names will no leak.

However experience shows that the names will show up inside the payload
of network data (badly designed protocols that embed names in the
payload) and as an result of this will be looked up in different
networks where you do not have the control over the DNS and the local
names are not terminated on the resolving DNS Server.

It is very hard to prevent leakage of private names.

An official DNS domain that is registered in the Internet, but only used
in the internal network is the best choice. It prevents any name
clashes, because you 'own' that name.

Starting later this year it will be possible to 'buy' your own top level
domain (not cheap though). So you cannot be sure that any 'private' top
level domain will not appear in the Internet at some point of time.

Other than spending a little money for a domain (you can get domains for
less than US$ 20 a year), there is no technical difference for the
operator using a registered domain you own internally vs. an
unregistered TLD. But there is a difference for the Internet infrastructure.

-- Carsten