BIND Setup - Serve internal LAN, query outside results

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0














Setting up a internal private server for some testing on our corp LAN. I want it to be authoratative for a internal domain and hosts, but be able to resolve stuff on the internet (google, yahoo etc.)



I can get the internal part working just fine, but when i try to resolve something public, it fails. I am probably missing one simple flag in my /etc/named.conf (BTW, RHEL 7.3 is my OS).



I can paste the contents of my configuration, but thought I would start here.



I started very simple, just to get it working and then plan to add more as i go along. I just need to fix the external resolving issue i am currently having.



Thanks!



IllusionMan



EDIT: Nervermind. Think I figured it out. I had to setup 'forwarders' in the options section and turn on recursion. Right now, it is working the way i want.










share|improve this question























  • It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
    – Patrick Mevzek
    Jun 25 '17 at 10:53















0














Setting up a internal private server for some testing on our corp LAN. I want it to be authoratative for a internal domain and hosts, but be able to resolve stuff on the internet (google, yahoo etc.)



I can get the internal part working just fine, but when i try to resolve something public, it fails. I am probably missing one simple flag in my /etc/named.conf (BTW, RHEL 7.3 is my OS).



I can paste the contents of my configuration, but thought I would start here.



I started very simple, just to get it working and then plan to add more as i go along. I just need to fix the external resolving issue i am currently having.



Thanks!



IllusionMan



EDIT: Nervermind. Think I figured it out. I had to setup 'forwarders' in the options section and turn on recursion. Right now, it is working the way i want.










share|improve this question























  • It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
    – Patrick Mevzek
    Jun 25 '17 at 10:53













0












0








0







Setting up a internal private server for some testing on our corp LAN. I want it to be authoratative for a internal domain and hosts, but be able to resolve stuff on the internet (google, yahoo etc.)



I can get the internal part working just fine, but when i try to resolve something public, it fails. I am probably missing one simple flag in my /etc/named.conf (BTW, RHEL 7.3 is my OS).



I can paste the contents of my configuration, but thought I would start here.



I started very simple, just to get it working and then plan to add more as i go along. I just need to fix the external resolving issue i am currently having.



Thanks!



IllusionMan



EDIT: Nervermind. Think I figured it out. I had to setup 'forwarders' in the options section and turn on recursion. Right now, it is working the way i want.










share|improve this question















Setting up a internal private server for some testing on our corp LAN. I want it to be authoratative for a internal domain and hosts, but be able to resolve stuff on the internet (google, yahoo etc.)



I can get the internal part working just fine, but when i try to resolve something public, it fails. I am probably missing one simple flag in my /etc/named.conf (BTW, RHEL 7.3 is my OS).



I can paste the contents of my configuration, but thought I would start here.



I started very simple, just to get it working and then plan to add more as i go along. I just need to fix the external resolving issue i am currently having.



Thanks!



IllusionMan



EDIT: Nervermind. Think I figured it out. I had to setup 'forwarders' in the options section and turn on recursion. Right now, it is working the way i want.







linux dns






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 20 '18 at 7:09









Rui F Ribeiro

39k1479130




39k1479130










asked Jun 24 '17 at 17:46









theillusionman

11




11











  • It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
    – Patrick Mevzek
    Jun 25 '17 at 10:53
















  • It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
    – Patrick Mevzek
    Jun 25 '17 at 10:53















It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
– Patrick Mevzek
Jun 25 '17 at 10:53




It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
– Patrick Mevzek
Jun 25 '17 at 10:53










1 Answer
1






active

oldest

votes


















0














Here's the contents of my /etc/bind on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key and /etc/bind/bind.keys. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)



named.conf:



// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

//end named.conf


named.conf.default-zones:



// prime the server with knowledge of the root servers
zone "."
type hint;
file "/etc/bind/db.root";
;

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost"
type master;
file "/etc/bind/db.local";
;

zone "127.in-addr.arpa"
type master;
file "/etc/bind/db.127";
;

zone "0.in-addr.arpa"
type master;
file "/etc/bind/db.0";
;

zone "255.in-addr.arpa"
type master;
file "/etc/bind/db.255";
;


//end named.conf.default-zones


named.conf.local:



//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "fake.tld"
type master;
notify no;
file "/etc/bind/db.fake.tld";
;

zone "99.99.10.in-addr.arpa"
type master;
notify no;
file "/etc/bind/db.10.99.99";
;

//end named.conf.local


named.conf.options:



options 
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders
8.8.8.8;
;

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 any; ;
;

//end named.conf.options


db.0:



;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.0


db.10.99.99:



$TTL 3D ; default ttl for records without a specified lifetime
$ORIGIN 99.99.10.in-addr.arpa.
@ IN SOA ns.fake.tld. root.fake.tld. (
2017012811 ; serial number
1638 ; ns refresh
204 ; ns retry
10485 ; authority expiry
256 ); min (RFC2308 §4)
; we dont use a hostname when we tell about our nameserver(s)
IN NS ns.fake.tld.
; hostname in this case is the last quad of the IP address
1 IN PTR gw.fake.tld.
2 IN PTR ns.fake.tld.
3 IN PTR dhcp.fake.tld.
10 IN PTR fileserver.fake.tld.


;end db.10.99.99


db.127:



;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
;end db.127


db.255:



;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.255


db.empty:



; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.empty


db.fake.tld:



$TTL 604800
@ IN SOA ns.fake.tld. root.fake.tld. (
2017062019 ; Serial
; YYYYMMDDVV
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.fake.tld.
@ IN A 10.99.99.2
gw IN A 10.99.99.1
ns IN A 10.99.99.2
dhcp IN A 10.99.99.3
fileserver IN A 10.99.99.10
gitlab IN A 10.99.99.7
;end db.fake.tld


db.local:



;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
;end db.local


db.root:



; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 3, 2013
; related version of root zone: 2013010300
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File
;end db.root


zones.rfc1918:



zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
// end zones.rfc1918





share|improve this answer




















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f373157%2fbind-setup-serve-internal-lan-query-outside-results%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Here's the contents of my /etc/bind on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key and /etc/bind/bind.keys. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)



    named.conf:



    // This is the primary configuration file for the BIND DNS server named.
    //
    // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
    // structure of BIND configuration files in Debian, *BEFORE* you customize
    // this configuration file.
    //
    // If you are just adding zones, please do that in /etc/bind/named.conf.local

    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";

    //end named.conf


    named.conf.default-zones:



    // prime the server with knowledge of the root servers
    zone "."
    type hint;
    file "/etc/bind/db.root";
    ;

    // be authoritative for the localhost forward and reverse zones, and for
    // broadcast zones as per RFC 1912

    zone "localhost"
    type master;
    file "/etc/bind/db.local";
    ;

    zone "127.in-addr.arpa"
    type master;
    file "/etc/bind/db.127";
    ;

    zone "0.in-addr.arpa"
    type master;
    file "/etc/bind/db.0";
    ;

    zone "255.in-addr.arpa"
    type master;
    file "/etc/bind/db.255";
    ;


    //end named.conf.default-zones


    named.conf.local:



    //
    // Do any local configuration here
    //

    // Consider adding the 1918 zones here, if they are not used in your
    // organization
    //include "/etc/bind/zones.rfc1918";

    zone "fake.tld"
    type master;
    notify no;
    file "/etc/bind/db.fake.tld";
    ;

    zone "99.99.10.in-addr.arpa"
    type master;
    notify no;
    file "/etc/bind/db.10.99.99";
    ;

    //end named.conf.local


    named.conf.options:



    options 
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk. See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    forwarders
    8.8.8.8;
    ;

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys. See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 any; ;
    ;

    //end named.conf.options


    db.0:



    ;
    ; BIND reverse data file for broadcast zone
    ;
    $TTL 604800
    @ IN SOA localhost. root.localhost. (
    1 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800 ) ; Negative Cache TTL
    ;
    @ IN NS localhost.
    ;end db.0


    db.10.99.99:



    $TTL 3D ; default ttl for records without a specified lifetime
    $ORIGIN 99.99.10.in-addr.arpa.
    @ IN SOA ns.fake.tld. root.fake.tld. (
    2017012811 ; serial number
    1638 ; ns refresh
    204 ; ns retry
    10485 ; authority expiry
    256 ); min (RFC2308 §4)
    ; we dont use a hostname when we tell about our nameserver(s)
    IN NS ns.fake.tld.
    ; hostname in this case is the last quad of the IP address
    1 IN PTR gw.fake.tld.
    2 IN PTR ns.fake.tld.
    3 IN PTR dhcp.fake.tld.
    10 IN PTR fileserver.fake.tld.


    ;end db.10.99.99


    db.127:



    ;
    ; BIND reverse data file for local loopback interface
    ;
    $TTL 604800
    @ IN SOA localhost. root.localhost. (
    1 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800 ) ; Negative Cache TTL
    ;
    @ IN NS localhost.
    1.0.0 IN PTR localhost.
    ;end db.127


    db.255:



    ;
    ; BIND reverse data file for broadcast zone
    ;
    $TTL 604800
    @ IN SOA localhost. root.localhost. (
    1 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800 ) ; Negative Cache TTL
    ;
    @ IN NS localhost.
    ;end db.255


    db.empty:



    ; BIND reverse data file for empty rfc1918 zone
    ;
    ; DO NOT EDIT THIS FILE - it is used for multiple zones.
    ; Instead, copy it, edit named.conf, and use that copy.
    ;
    $TTL 86400
    @ IN SOA localhost. root.localhost. (
    1 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    86400 ) ; Negative Cache TTL
    ;
    @ IN NS localhost.
    ;end db.empty


    db.fake.tld:



    $TTL 604800
    @ IN SOA ns.fake.tld. root.fake.tld. (
    2017062019 ; Serial
    ; YYYYMMDDVV
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800 ) ; Negative Cache TTL
    ;
    @ IN NS ns.fake.tld.
    @ IN A 10.99.99.2
    gw IN A 10.99.99.1
    ns IN A 10.99.99.2
    dhcp IN A 10.99.99.3
    fileserver IN A 10.99.99.10
    gitlab IN A 10.99.99.7
    ;end db.fake.tld


    db.local:



    ;
    ; BIND data file for local loopback interface
    ;
    $TTL 604800
    @ IN SOA localhost. root.localhost. (
    2 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800 ) ; Negative Cache TTL
    ;
    @ IN NS localhost.
    @ IN A 127.0.0.1
    @ IN AAAA ::1
    ;end db.local


    db.root:



    ; This file holds the information on root name servers needed to
    ; initialize cache of Internet domain name servers
    ; (e.g. reference this file in the "cache . <file>"
    ; configuration file of BIND domain name servers).
    ;
    ; This file is made available by InterNIC
    ; under anonymous FTP as
    ; file /domain/named.cache
    ; on server FTP.INTERNIC.NET
    ; -OR- RS.INTERNIC.NET
    ;
    ; last update: Jan 3, 2013
    ; related version of root zone: 2013010300
    ;
    ; formerly NS.INTERNIC.NET
    ;
    . 3600000 IN NS A.ROOT-SERVERS.NET.
    A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
    A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
    ;
    ; FORMERLY NS1.ISI.EDU
    ;
    . 3600000 NS B.ROOT-SERVERS.NET.
    B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
    ;
    ; FORMERLY C.PSI.NET
    ;
    . 3600000 NS C.ROOT-SERVERS.NET.
    C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
    ;
    ; FORMERLY TERP.UMD.EDU
    ;
    . 3600000 NS D.ROOT-SERVERS.NET.
    D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
    D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
    ;
    ; FORMERLY NS.NASA.GOV
    ;
    . 3600000 NS E.ROOT-SERVERS.NET.
    E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
    ;
    ; FORMERLY NS.ISC.ORG
    ;
    . 3600000 NS F.ROOT-SERVERS.NET.
    F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
    F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
    ;
    ; FORMERLY NS.NIC.DDN.MIL
    ;
    . 3600000 NS G.ROOT-SERVERS.NET.
    G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
    ;
    ; FORMERLY AOS.ARL.ARMY.MIL
    ;
    . 3600000 NS H.ROOT-SERVERS.NET.
    H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
    H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
    ;
    ; FORMERLY NIC.NORDU.NET
    ;
    . 3600000 NS I.ROOT-SERVERS.NET.
    I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
    I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
    ;
    ; OPERATED BY VERISIGN, INC.
    ;
    . 3600000 NS J.ROOT-SERVERS.NET.
    J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
    J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
    ;
    ; OPERATED BY RIPE NCC
    ;
    . 3600000 NS K.ROOT-SERVERS.NET.
    K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
    K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
    ;
    ; OPERATED BY ICANN
    ;
    . 3600000 NS L.ROOT-SERVERS.NET.
    L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
    L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
    ;
    ; OPERATED BY WIDE
    ;
    . 3600000 NS M.ROOT-SERVERS.NET.
    M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
    M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
    ; End of File
    ;end db.root


    zones.rfc1918:



    zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
    // end zones.rfc1918





    share|improve this answer

























      0














      Here's the contents of my /etc/bind on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key and /etc/bind/bind.keys. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)



      named.conf:



      // This is the primary configuration file for the BIND DNS server named.
      //
      // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
      // structure of BIND configuration files in Debian, *BEFORE* you customize
      // this configuration file.
      //
      // If you are just adding zones, please do that in /etc/bind/named.conf.local

      include "/etc/bind/named.conf.options";
      include "/etc/bind/named.conf.local";
      include "/etc/bind/named.conf.default-zones";

      //end named.conf


      named.conf.default-zones:



      // prime the server with knowledge of the root servers
      zone "."
      type hint;
      file "/etc/bind/db.root";
      ;

      // be authoritative for the localhost forward and reverse zones, and for
      // broadcast zones as per RFC 1912

      zone "localhost"
      type master;
      file "/etc/bind/db.local";
      ;

      zone "127.in-addr.arpa"
      type master;
      file "/etc/bind/db.127";
      ;

      zone "0.in-addr.arpa"
      type master;
      file "/etc/bind/db.0";
      ;

      zone "255.in-addr.arpa"
      type master;
      file "/etc/bind/db.255";
      ;


      //end named.conf.default-zones


      named.conf.local:



      //
      // Do any local configuration here
      //

      // Consider adding the 1918 zones here, if they are not used in your
      // organization
      //include "/etc/bind/zones.rfc1918";

      zone "fake.tld"
      type master;
      notify no;
      file "/etc/bind/db.fake.tld";
      ;

      zone "99.99.10.in-addr.arpa"
      type master;
      notify no;
      file "/etc/bind/db.10.99.99";
      ;

      //end named.conf.local


      named.conf.options:



      options 
      directory "/var/cache/bind";

      // If there is a firewall between you and nameservers you want
      // to talk to, you may need to fix the firewall to allow multiple
      // ports to talk. See http://www.kb.cert.org/vuls/id/800113

      // If your ISP provided one or more IP addresses for stable
      // nameservers, you probably want to use them as forwarders.
      // Uncomment the following block, and insert the addresses replacing
      // the all-0's placeholder.

      forwarders
      8.8.8.8;
      ;

      //========================================================================
      // If BIND logs error messages about the root key being expired,
      // you will need to update your keys. See https://www.isc.org/bind-keys
      //========================================================================
      dnssec-validation auto;

      auth-nxdomain no; # conform to RFC1035
      listen-on-v6 any; ;
      ;

      //end named.conf.options


      db.0:



      ;
      ; BIND reverse data file for broadcast zone
      ;
      $TTL 604800
      @ IN SOA localhost. root.localhost. (
      1 ; Serial
      604800 ; Refresh
      86400 ; Retry
      2419200 ; Expire
      604800 ) ; Negative Cache TTL
      ;
      @ IN NS localhost.
      ;end db.0


      db.10.99.99:



      $TTL 3D ; default ttl for records without a specified lifetime
      $ORIGIN 99.99.10.in-addr.arpa.
      @ IN SOA ns.fake.tld. root.fake.tld. (
      2017012811 ; serial number
      1638 ; ns refresh
      204 ; ns retry
      10485 ; authority expiry
      256 ); min (RFC2308 §4)
      ; we dont use a hostname when we tell about our nameserver(s)
      IN NS ns.fake.tld.
      ; hostname in this case is the last quad of the IP address
      1 IN PTR gw.fake.tld.
      2 IN PTR ns.fake.tld.
      3 IN PTR dhcp.fake.tld.
      10 IN PTR fileserver.fake.tld.


      ;end db.10.99.99


      db.127:



      ;
      ; BIND reverse data file for local loopback interface
      ;
      $TTL 604800
      @ IN SOA localhost. root.localhost. (
      1 ; Serial
      604800 ; Refresh
      86400 ; Retry
      2419200 ; Expire
      604800 ) ; Negative Cache TTL
      ;
      @ IN NS localhost.
      1.0.0 IN PTR localhost.
      ;end db.127


      db.255:



      ;
      ; BIND reverse data file for broadcast zone
      ;
      $TTL 604800
      @ IN SOA localhost. root.localhost. (
      1 ; Serial
      604800 ; Refresh
      86400 ; Retry
      2419200 ; Expire
      604800 ) ; Negative Cache TTL
      ;
      @ IN NS localhost.
      ;end db.255


      db.empty:



      ; BIND reverse data file for empty rfc1918 zone
      ;
      ; DO NOT EDIT THIS FILE - it is used for multiple zones.
      ; Instead, copy it, edit named.conf, and use that copy.
      ;
      $TTL 86400
      @ IN SOA localhost. root.localhost. (
      1 ; Serial
      604800 ; Refresh
      86400 ; Retry
      2419200 ; Expire
      86400 ) ; Negative Cache TTL
      ;
      @ IN NS localhost.
      ;end db.empty


      db.fake.tld:



      $TTL 604800
      @ IN SOA ns.fake.tld. root.fake.tld. (
      2017062019 ; Serial
      ; YYYYMMDDVV
      604800 ; Refresh
      86400 ; Retry
      2419200 ; Expire
      604800 ) ; Negative Cache TTL
      ;
      @ IN NS ns.fake.tld.
      @ IN A 10.99.99.2
      gw IN A 10.99.99.1
      ns IN A 10.99.99.2
      dhcp IN A 10.99.99.3
      fileserver IN A 10.99.99.10
      gitlab IN A 10.99.99.7
      ;end db.fake.tld


      db.local:



      ;
      ; BIND data file for local loopback interface
      ;
      $TTL 604800
      @ IN SOA localhost. root.localhost. (
      2 ; Serial
      604800 ; Refresh
      86400 ; Retry
      2419200 ; Expire
      604800 ) ; Negative Cache TTL
      ;
      @ IN NS localhost.
      @ IN A 127.0.0.1
      @ IN AAAA ::1
      ;end db.local


      db.root:



      ; This file holds the information on root name servers needed to
      ; initialize cache of Internet domain name servers
      ; (e.g. reference this file in the "cache . <file>"
      ; configuration file of BIND domain name servers).
      ;
      ; This file is made available by InterNIC
      ; under anonymous FTP as
      ; file /domain/named.cache
      ; on server FTP.INTERNIC.NET
      ; -OR- RS.INTERNIC.NET
      ;
      ; last update: Jan 3, 2013
      ; related version of root zone: 2013010300
      ;
      ; formerly NS.INTERNIC.NET
      ;
      . 3600000 IN NS A.ROOT-SERVERS.NET.
      A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
      A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
      ;
      ; FORMERLY NS1.ISI.EDU
      ;
      . 3600000 NS B.ROOT-SERVERS.NET.
      B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
      ;
      ; FORMERLY C.PSI.NET
      ;
      . 3600000 NS C.ROOT-SERVERS.NET.
      C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
      ;
      ; FORMERLY TERP.UMD.EDU
      ;
      . 3600000 NS D.ROOT-SERVERS.NET.
      D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
      D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
      ;
      ; FORMERLY NS.NASA.GOV
      ;
      . 3600000 NS E.ROOT-SERVERS.NET.
      E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
      ;
      ; FORMERLY NS.ISC.ORG
      ;
      . 3600000 NS F.ROOT-SERVERS.NET.
      F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
      F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
      ;
      ; FORMERLY NS.NIC.DDN.MIL
      ;
      . 3600000 NS G.ROOT-SERVERS.NET.
      G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
      ;
      ; FORMERLY AOS.ARL.ARMY.MIL
      ;
      . 3600000 NS H.ROOT-SERVERS.NET.
      H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
      H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
      ;
      ; FORMERLY NIC.NORDU.NET
      ;
      . 3600000 NS I.ROOT-SERVERS.NET.
      I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
      I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
      ;
      ; OPERATED BY VERISIGN, INC.
      ;
      . 3600000 NS J.ROOT-SERVERS.NET.
      J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
      J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
      ;
      ; OPERATED BY RIPE NCC
      ;
      . 3600000 NS K.ROOT-SERVERS.NET.
      K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
      K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
      ;
      ; OPERATED BY ICANN
      ;
      . 3600000 NS L.ROOT-SERVERS.NET.
      L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
      L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
      ;
      ; OPERATED BY WIDE
      ;
      . 3600000 NS M.ROOT-SERVERS.NET.
      M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
      M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
      ; End of File
      ;end db.root


      zones.rfc1918:



      zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
      // end zones.rfc1918





      share|improve this answer























        0












        0








        0






        Here's the contents of my /etc/bind on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key and /etc/bind/bind.keys. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)



        named.conf:



        // This is the primary configuration file for the BIND DNS server named.
        //
        // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
        // structure of BIND configuration files in Debian, *BEFORE* you customize
        // this configuration file.
        //
        // If you are just adding zones, please do that in /etc/bind/named.conf.local

        include "/etc/bind/named.conf.options";
        include "/etc/bind/named.conf.local";
        include "/etc/bind/named.conf.default-zones";

        //end named.conf


        named.conf.default-zones:



        // prime the server with knowledge of the root servers
        zone "."
        type hint;
        file "/etc/bind/db.root";
        ;

        // be authoritative for the localhost forward and reverse zones, and for
        // broadcast zones as per RFC 1912

        zone "localhost"
        type master;
        file "/etc/bind/db.local";
        ;

        zone "127.in-addr.arpa"
        type master;
        file "/etc/bind/db.127";
        ;

        zone "0.in-addr.arpa"
        type master;
        file "/etc/bind/db.0";
        ;

        zone "255.in-addr.arpa"
        type master;
        file "/etc/bind/db.255";
        ;


        //end named.conf.default-zones


        named.conf.local:



        //
        // Do any local configuration here
        //

        // Consider adding the 1918 zones here, if they are not used in your
        // organization
        //include "/etc/bind/zones.rfc1918";

        zone "fake.tld"
        type master;
        notify no;
        file "/etc/bind/db.fake.tld";
        ;

        zone "99.99.10.in-addr.arpa"
        type master;
        notify no;
        file "/etc/bind/db.10.99.99";
        ;

        //end named.conf.local


        named.conf.options:



        options 
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk. See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders
        8.8.8.8;
        ;

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys. See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no; # conform to RFC1035
        listen-on-v6 any; ;
        ;

        //end named.conf.options


        db.0:



        ;
        ; BIND reverse data file for broadcast zone
        ;
        $TTL 604800
        @ IN SOA localhost. root.localhost. (
        1 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        ;end db.0


        db.10.99.99:



        $TTL 3D ; default ttl for records without a specified lifetime
        $ORIGIN 99.99.10.in-addr.arpa.
        @ IN SOA ns.fake.tld. root.fake.tld. (
        2017012811 ; serial number
        1638 ; ns refresh
        204 ; ns retry
        10485 ; authority expiry
        256 ); min (RFC2308 §4)
        ; we dont use a hostname when we tell about our nameserver(s)
        IN NS ns.fake.tld.
        ; hostname in this case is the last quad of the IP address
        1 IN PTR gw.fake.tld.
        2 IN PTR ns.fake.tld.
        3 IN PTR dhcp.fake.tld.
        10 IN PTR fileserver.fake.tld.


        ;end db.10.99.99


        db.127:



        ;
        ; BIND reverse data file for local loopback interface
        ;
        $TTL 604800
        @ IN SOA localhost. root.localhost. (
        1 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        1.0.0 IN PTR localhost.
        ;end db.127


        db.255:



        ;
        ; BIND reverse data file for broadcast zone
        ;
        $TTL 604800
        @ IN SOA localhost. root.localhost. (
        1 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        ;end db.255


        db.empty:



        ; BIND reverse data file for empty rfc1918 zone
        ;
        ; DO NOT EDIT THIS FILE - it is used for multiple zones.
        ; Instead, copy it, edit named.conf, and use that copy.
        ;
        $TTL 86400
        @ IN SOA localhost. root.localhost. (
        1 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        86400 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        ;end db.empty


        db.fake.tld:



        $TTL 604800
        @ IN SOA ns.fake.tld. root.fake.tld. (
        2017062019 ; Serial
        ; YYYYMMDDVV
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS ns.fake.tld.
        @ IN A 10.99.99.2
        gw IN A 10.99.99.1
        ns IN A 10.99.99.2
        dhcp IN A 10.99.99.3
        fileserver IN A 10.99.99.10
        gitlab IN A 10.99.99.7
        ;end db.fake.tld


        db.local:



        ;
        ; BIND data file for local loopback interface
        ;
        $TTL 604800
        @ IN SOA localhost. root.localhost. (
        2 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        @ IN A 127.0.0.1
        @ IN AAAA ::1
        ;end db.local


        db.root:



        ; This file holds the information on root name servers needed to
        ; initialize cache of Internet domain name servers
        ; (e.g. reference this file in the "cache . <file>"
        ; configuration file of BIND domain name servers).
        ;
        ; This file is made available by InterNIC
        ; under anonymous FTP as
        ; file /domain/named.cache
        ; on server FTP.INTERNIC.NET
        ; -OR- RS.INTERNIC.NET
        ;
        ; last update: Jan 3, 2013
        ; related version of root zone: 2013010300
        ;
        ; formerly NS.INTERNIC.NET
        ;
        . 3600000 IN NS A.ROOT-SERVERS.NET.
        A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
        A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
        ;
        ; FORMERLY NS1.ISI.EDU
        ;
        . 3600000 NS B.ROOT-SERVERS.NET.
        B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
        ;
        ; FORMERLY C.PSI.NET
        ;
        . 3600000 NS C.ROOT-SERVERS.NET.
        C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
        ;
        ; FORMERLY TERP.UMD.EDU
        ;
        . 3600000 NS D.ROOT-SERVERS.NET.
        D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
        D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
        ;
        ; FORMERLY NS.NASA.GOV
        ;
        . 3600000 NS E.ROOT-SERVERS.NET.
        E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
        ;
        ; FORMERLY NS.ISC.ORG
        ;
        . 3600000 NS F.ROOT-SERVERS.NET.
        F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
        F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
        ;
        ; FORMERLY NS.NIC.DDN.MIL
        ;
        . 3600000 NS G.ROOT-SERVERS.NET.
        G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
        ;
        ; FORMERLY AOS.ARL.ARMY.MIL
        ;
        . 3600000 NS H.ROOT-SERVERS.NET.
        H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
        H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
        ;
        ; FORMERLY NIC.NORDU.NET
        ;
        . 3600000 NS I.ROOT-SERVERS.NET.
        I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
        I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
        ;
        ; OPERATED BY VERISIGN, INC.
        ;
        . 3600000 NS J.ROOT-SERVERS.NET.
        J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
        J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
        ;
        ; OPERATED BY RIPE NCC
        ;
        . 3600000 NS K.ROOT-SERVERS.NET.
        K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
        K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
        ;
        ; OPERATED BY ICANN
        ;
        . 3600000 NS L.ROOT-SERVERS.NET.
        L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
        L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
        ;
        ; OPERATED BY WIDE
        ;
        . 3600000 NS M.ROOT-SERVERS.NET.
        M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
        M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
        ; End of File
        ;end db.root


        zones.rfc1918:



        zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        // end zones.rfc1918





        share|improve this answer












        Here's the contents of my /etc/bind on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key and /etc/bind/bind.keys. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)



        named.conf:



        // This is the primary configuration file for the BIND DNS server named.
        //
        // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
        // structure of BIND configuration files in Debian, *BEFORE* you customize
        // this configuration file.
        //
        // If you are just adding zones, please do that in /etc/bind/named.conf.local

        include "/etc/bind/named.conf.options";
        include "/etc/bind/named.conf.local";
        include "/etc/bind/named.conf.default-zones";

        //end named.conf


        named.conf.default-zones:



        // prime the server with knowledge of the root servers
        zone "."
        type hint;
        file "/etc/bind/db.root";
        ;

        // be authoritative for the localhost forward and reverse zones, and for
        // broadcast zones as per RFC 1912

        zone "localhost"
        type master;
        file "/etc/bind/db.local";
        ;

        zone "127.in-addr.arpa"
        type master;
        file "/etc/bind/db.127";
        ;

        zone "0.in-addr.arpa"
        type master;
        file "/etc/bind/db.0";
        ;

        zone "255.in-addr.arpa"
        type master;
        file "/etc/bind/db.255";
        ;


        //end named.conf.default-zones


        named.conf.local:



        //
        // Do any local configuration here
        //

        // Consider adding the 1918 zones here, if they are not used in your
        // organization
        //include "/etc/bind/zones.rfc1918";

        zone "fake.tld"
        type master;
        notify no;
        file "/etc/bind/db.fake.tld";
        ;

        zone "99.99.10.in-addr.arpa"
        type master;
        notify no;
        file "/etc/bind/db.10.99.99";
        ;

        //end named.conf.local


        named.conf.options:



        options 
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk. See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders
        8.8.8.8;
        ;

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys. See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no; # conform to RFC1035
        listen-on-v6 any; ;
        ;

        //end named.conf.options


        db.0:



        ;
        ; BIND reverse data file for broadcast zone
        ;
        $TTL 604800
        @ IN SOA localhost. root.localhost. (
        1 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        ;end db.0


        db.10.99.99:



        $TTL 3D ; default ttl for records without a specified lifetime
        $ORIGIN 99.99.10.in-addr.arpa.
        @ IN SOA ns.fake.tld. root.fake.tld. (
        2017012811 ; serial number
        1638 ; ns refresh
        204 ; ns retry
        10485 ; authority expiry
        256 ); min (RFC2308 §4)
        ; we dont use a hostname when we tell about our nameserver(s)
        IN NS ns.fake.tld.
        ; hostname in this case is the last quad of the IP address
        1 IN PTR gw.fake.tld.
        2 IN PTR ns.fake.tld.
        3 IN PTR dhcp.fake.tld.
        10 IN PTR fileserver.fake.tld.


        ;end db.10.99.99


        db.127:



        ;
        ; BIND reverse data file for local loopback interface
        ;
        $TTL 604800
        @ IN SOA localhost. root.localhost. (
        1 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        1.0.0 IN PTR localhost.
        ;end db.127


        db.255:



        ;
        ; BIND reverse data file for broadcast zone
        ;
        $TTL 604800
        @ IN SOA localhost. root.localhost. (
        1 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        ;end db.255


        db.empty:



        ; BIND reverse data file for empty rfc1918 zone
        ;
        ; DO NOT EDIT THIS FILE - it is used for multiple zones.
        ; Instead, copy it, edit named.conf, and use that copy.
        ;
        $TTL 86400
        @ IN SOA localhost. root.localhost. (
        1 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        86400 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        ;end db.empty


        db.fake.tld:



        $TTL 604800
        @ IN SOA ns.fake.tld. root.fake.tld. (
        2017062019 ; Serial
        ; YYYYMMDDVV
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS ns.fake.tld.
        @ IN A 10.99.99.2
        gw IN A 10.99.99.1
        ns IN A 10.99.99.2
        dhcp IN A 10.99.99.3
        fileserver IN A 10.99.99.10
        gitlab IN A 10.99.99.7
        ;end db.fake.tld


        db.local:



        ;
        ; BIND data file for local loopback interface
        ;
        $TTL 604800
        @ IN SOA localhost. root.localhost. (
        2 ; Serial
        604800 ; Refresh
        86400 ; Retry
        2419200 ; Expire
        604800 ) ; Negative Cache TTL
        ;
        @ IN NS localhost.
        @ IN A 127.0.0.1
        @ IN AAAA ::1
        ;end db.local


        db.root:



        ; This file holds the information on root name servers needed to
        ; initialize cache of Internet domain name servers
        ; (e.g. reference this file in the "cache . <file>"
        ; configuration file of BIND domain name servers).
        ;
        ; This file is made available by InterNIC
        ; under anonymous FTP as
        ; file /domain/named.cache
        ; on server FTP.INTERNIC.NET
        ; -OR- RS.INTERNIC.NET
        ;
        ; last update: Jan 3, 2013
        ; related version of root zone: 2013010300
        ;
        ; formerly NS.INTERNIC.NET
        ;
        . 3600000 IN NS A.ROOT-SERVERS.NET.
        A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
        A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
        ;
        ; FORMERLY NS1.ISI.EDU
        ;
        . 3600000 NS B.ROOT-SERVERS.NET.
        B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
        ;
        ; FORMERLY C.PSI.NET
        ;
        . 3600000 NS C.ROOT-SERVERS.NET.
        C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
        ;
        ; FORMERLY TERP.UMD.EDU
        ;
        . 3600000 NS D.ROOT-SERVERS.NET.
        D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
        D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
        ;
        ; FORMERLY NS.NASA.GOV
        ;
        . 3600000 NS E.ROOT-SERVERS.NET.
        E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
        ;
        ; FORMERLY NS.ISC.ORG
        ;
        . 3600000 NS F.ROOT-SERVERS.NET.
        F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
        F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
        ;
        ; FORMERLY NS.NIC.DDN.MIL
        ;
        . 3600000 NS G.ROOT-SERVERS.NET.
        G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
        ;
        ; FORMERLY AOS.ARL.ARMY.MIL
        ;
        . 3600000 NS H.ROOT-SERVERS.NET.
        H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
        H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
        ;
        ; FORMERLY NIC.NORDU.NET
        ;
        . 3600000 NS I.ROOT-SERVERS.NET.
        I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
        I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
        ;
        ; OPERATED BY VERISIGN, INC.
        ;
        . 3600000 NS J.ROOT-SERVERS.NET.
        J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
        J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
        ;
        ; OPERATED BY RIPE NCC
        ;
        . 3600000 NS K.ROOT-SERVERS.NET.
        K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
        K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
        ;
        ; OPERATED BY ICANN
        ;
        . 3600000 NS L.ROOT-SERVERS.NET.
        L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
        L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
        ;
        ; OPERATED BY WIDE
        ;
        . 3600000 NS M.ROOT-SERVERS.NET.
        M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
        M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
        ; End of File
        ;end db.root


        zones.rfc1918:



        zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
        // end zones.rfc1918






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jun 24 '17 at 18:26









        ivanivan

        3,5071414




        3,5071414



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f373157%2fbind-setup-serve-internal-lan-query-outside-results%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?