On 3/25/11 8:49 PM, Chris Smith wrote: > However, the mDNS issue aside, I was under the impression that Unbound > does not recursively resolve local-data, that it is in effect > authoritative for it, much like using a stub-zone pointing to an > authoritative server such as NSD serving a private internal domain > (such as .soho, .office, .home, etc.). Therefore queries for such > domain names would not get leaked to the root servers. Or would they? > What am I missing? Hello Chris,
you are right, if these queries would only go towards a carefully configured resolving DNS Server that terminates this local domain, the names will no leak. However experience shows that the names will show up inside the payload of network data (badly designed protocols that embed names in the payload) and as an result of this will be looked up in different networks where you do not have the control over the DNS and the local names are not terminated on the resolving DNS Server. It is very hard to prevent leakage of private names. An official DNS domain that is registered in the Internet, but only used in the internal network is the best choice. It prevents any name clashes, because you 'own' that name. Starting later this year it will be possible to 'buy' your own top level domain (not cheap though). So you cannot be sure that any 'private' top level domain will not appear in the Internet at some point of time. Other than spending a little money for a domain (you can get domains for less than US$ 20 a year), there is no technical difference for the operator using a registered domain you own internally vs. an unregistered TLD. But there is a difference for the Internet infrastructure. -- Carsten _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
