The option is enabled by default however if you forward all queries then the
automatic zones won’t be created and the forwarder is responsible for
filtering. This is done like this because lots of people use forwarding to get
to the internal servers that serve these zones.
Just create empty zones in named.conf. If the automatic creation doesn’t work
with the rest of your configuration.
The log messages are there to tell you that queries are still leaking.
Given your other questions about 10.in-addr.arpa I would really set it up and
delegate based on which address blocks are assigned to whom. Allow the zone to
be transferred to any 10.0.0.0/8 address by default. Add in other server
address or TSIG keys as different departments request access to it. Start with
an empty zone and delegations for the addresses you are using yourself and
build up from there. Turn off forwarding in this zone’s configuration by using
an empty forwarders clause ( forwarders { /* empty */ }; ).
I know you said this was a lost cause but it doesn’t have to be 100% perfect.
It can be built up over time.
--
Mark Andrews
> On 23 Sep 2023, at 02:45, John Thurston <john.thurs...@alaska.gov> wrote:
>
>
> The global/view option
>
> empty-zones-enable yes;
>
> isn't behaving as I expected.
>
> I had expected that it would cause empty "RFC 1918" zones to be created for
> those zones for which there were not local zones defined. That is, if there
> were no local zones of this type defined, it would create all the required
> empty zones. But if 10.in-addr.arpa was defined locally, it would skip that
> but define the rest of them.
>
> After looking at my logs, and seeing that I'm leaking RFC 1918 queries, I see
> my expectations were wrong.
>
> Is explicitly defining the remaining empty zones the best way to correct this?
>
> Or maybe add the un-used RFC 1918 zones to our RPZ?
>
> --
> --
> Do things because you should, not just because you can.
>
> John Thurston 907-465-8591
> john.thurs...@alaska.gov
> Department of Administration
> State of Alaska
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
