Re: DNS resolver resolves LAN IPs

[Greg Troxel <gdt%lexort.com@localhost>]

Peter Skvarka <ps%softinengines.com@localhost> writes:

> If I understand good your answer, the only way how to disallow
> resolver to query reverse translation for target private IP is to
> deploy DNS service for machines with private IPs ?

You can configure programs not to do lookups, or you can let the lookups
happen.  It is generally considered reasonable for programs to do
lookups, and they fail quickly.  People who want more control over their
DNS resolution run a resolver themselves.

> I cannot believe it. OS don't need reverse DNS translating for
> communicating IP1<->IP2.

If you don't want to believe things are how they are, that's up to you
:-) But seriously, some programs have -n.  Some don't.  This is not a
NetBSD-specific practice; it's been normal for a very long time.

You can configure your system not to use dns.  See nsswitch(5).  But
that will probably not be a satisfactory configuration.

> ; <<>> DiG 9.18.24 <<>> -x 192.168.1.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2386
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;1.1.168.192.in-addr.arpa.	IN	PTR
>
> ;; AUTHORITY SECTION:
> 168.192.in-addr.arpa.	10800	IN	SOA
> localhost. nobody.invalid. 1 3600 1200 604800 10800
>
> ;; Query time: 37 msec
> ;; SERVER: 31.3.32.1#53(31.3.32.1) (UDP)
> ;; WHEN: Wed Feb 19 18:27:07 CET 2025
> ;; MSG SIZE  rcvd: 112

That fails in 37 ms, which is pretty fast.

You may wish to read about how to run your own caching nameserver.
named and unbound are two possiblilities included in the NetBSD base
system.   That will almost certainly fail faster, and cache other
queries for faster responses.