Peter Skvarka <p...@softinengines.com> writes: > If I understand good your answer, the only way how to disallow > resolver to query reverse translation for target private IP is to > deploy DNS service for machines with private IPs ?
You can configure programs not to do lookups, or you can let the lookups happen. It is generally considered reasonable for programs to do lookups, and they fail quickly. People who want more control over their DNS resolution run a resolver themselves. > I cannot believe it. OS don't need reverse DNS translating for > communicating IP1<->IP2. If you don't want to believe things are how they are, that's up to you :-) But seriously, some programs have -n. Some don't. This is not a NetBSD-specific practice; it's been normal for a very long time. You can configure your system not to use dns. See nsswitch(5). But that will probably not be a satisfactory configuration. > ; <<>> DiG 9.18.24 <<>> -x 192.168.1.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2386 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;1.1.168.192.in-addr.arpa. IN PTR > > ;; AUTHORITY SECTION: > 168.192.in-addr.arpa. 10800 IN SOA > localhost. nobody.invalid. 1 3600 1200 604800 10800 > > ;; Query time: 37 msec > ;; SERVER: 31.3.32.1#53(31.3.32.1) (UDP) > ;; WHEN: Wed Feb 19 18:27:07 CET 2025 > ;; MSG SIZE rcvd: 112 That fails in 37 ms, which is pretty fast. You may wish to read about how to run your own caching nameserver. named and unbound are two possiblilities included in the NetBSD base system. That will almost certainly fail faster, and cache other queries for faster responses.
