On Fri, Mar 25, 2011 at 3:51 AM, Carsten Strotmann <[email protected]> wrote: > please be aware that the use of a non-registered top level domain, esp. > the top level domain ".local', can be problematic. > > The problem here is that if your network is attached to the Internet, > any typo will leak out to the Internet root DNS Server system and will > cause little traffic there. Having only one system doing this is not a > big problem, but in total most of the traffic going to the root DNS > Server system is such bogus traffic that should be avoided (there is > also a security aspect in having private data leaking to the public > Internet). > > This graph at > http://dns.icann.org/cgi-bin/dsc-grapher.pl?window=86400&plot=qtype_vs_invalid_tld&server=L-root > shows all the invalid TLD queries going to one of the root name servers > (l.root-server.net). > > You see '.local' is very high in that list. The reason for this is that > the '.local' TLD is used for a service called 'MulticastDNS' > (http://www.multicastdns.org/). Multicast DNS is know as > 'Bonjour/Rendezvous' on Apple MacOS X systems, and Avahi on > Linux/Solaris and the BSD Unixes. It is also build into some hardware, > such as Axis network cameras, Roku SoundBridges, TiVo PVR. It can also > be installed on Windows systems. > > On these machines, any name lookup for a domain name will not send to > the DNS system (the Unbound resolver) but will be resolved by the > operating system using multicast DNS. > > So your use of '.local' will not work on these system.
I'm not following everything here. I remember when my distro started incorporating mDNS and my ".local" internal TLD, which had worked fine for years, stopped functioning properly. I either had to change my internal TLD or disable mDNS on the systems. The better fix was to stop using ".local" so I elected that route. However, the mDNS issue aside, I was under the impression that Unbound does not recursively resolve local-data, that it is in effect authoritative for it, much like using a stub-zone pointing to an authoritative server such as NSD serving a private internal domain (such as .soho, .office, .home, etc.). Therefore queries for such domain names would not get leaked to the root servers. Or would they? What am I missing? Thanks, Chris _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
