Stealth secondary nameservers

The configuration files provided for download here are intended as prototypes for configuring "stealth" (also known as "unofficial") secondary nameservers on the Cambridge University Data Network.

Announcements about changes to this sample configuration are posted on the DNS news pages and sent to the uis-dns-announce mailing list.

Alternatives

There are three alternative ways to configure your name server to support our local zones. You will not be able to do reverse DNS lookups for private addresses without some configuration.

The simplest alternative is to foward all queries to the central recursive DNS servers. The more complicated but more robust alternative is to set up your server as a "stealth slave" of all our local zones. The intermediate alternative, for those who are running BIND 9.11 or newer, is to use a catalog-zones clause to automatically configure stealth slave.

  • sample.named.conf

    Sample BIND 9 configuration file, containing extensive comments on variations for different situations.

  • forward.named.conf

    A stripped-down example configuration for resolvers that forward to the central recursive servers.

  • catz.named.conf

    A version that uses BIND 9.11 catalog zones to automate all the zone configuration from sample.named.conf.

  • rpz.named.conf

    A configuration fragment which explains how you can use our DNS blocks on your own recursive servers. You don't need this if you are forwarding to the central recursive servers.

  • db.null

    Zone file for an empty zone.

  • db.localhost

    Zone file for the "localhost" zone.

  • db.localhost-rev

    Zone file for the "localhost" reverse zone.

Rationale

Our central recursive servers are configured as stealth secondaries in a similar (but more automated) way to the setup documented above. Since very little else can work when the recursive servers are not available, their configuration is designed so that they can boot and start serving DNS answers without depending on anything else. By being configured as stealth secondaries, they have their own copies of our DNS zones so that they do not depend on any other Cambridge DNS server to be available.