How do I answer for a specific hostname in a zone, but resolve all its other names normally?
  • 04 Oct 2018
  • 1 Minute to read
  • Contributors
  • Dark
  • PDF

How do I answer for a specific hostname in a zone, but resolve all its other names normally?

  • Dark
  • PDF

Article summary


A common wish among many sites with internal-only nameservers is the desire on an otherwise caching-only resolver to override one (or more) single name(s) from the Internet.

Suppose your company is "" and your authoritative DNS is hosted elsewhere. But you need " " to resolve to internal addresses and 2001:db8:15c:b9::1 for the users at your site.


The answer is to add an authoritative zone for "" to your named.conf file, with the desired A/AAAA record(s) at the apex of the zone:

# named.conf (or a file included therein by 'include "/path/to/file";'):

zone "" IN {
     type master;
     # This assumes the default directory location in the "options" stanza
     file "";

And the "" file might look like this:

$TTL 1h
; every zone must have SOA ...
@    IN        SOA    @ (
          42    ;serial
          3h    ;refresh
          15m   ;retry
          1w    ;expiry
          1h    ;minimum
; ... and NS also.
@    IN        NS    @

; addresses for
@            A
@            AAAA    2001:db8:15c:b9::1

Use "rndc reconfig" to reload the configuration and enable the new zone, or an "rndc addzone" command can do this at runtime, without editing named.conf, if the allow-new-zones option is set to yes:

$ rndc addzone '{ type master; file ""; }; 

All names under that label are overridden also!
Note that limitations of the DNS protocol mean that all names under the label, "", such as "" or "" are also overridden by this zone statement. If such names exist in the parent zone, they won't resolve for users of this internal nameserver. (But they could be added to the sample zone.)


Dnsmasq is an easy-to-use integrated DHCP server and DNS forwarding server. In a case like this, dnsmasq might be a viable alternative. Because dnsmasq is not a complete DNS implementation like BIND, names under the label are not affected. Note that dnsmasq requires an upstream forwarding nameserver (such as BIND) to do recursion for names for which it is not authoritative.

What about DNSSEC?
DNSSEC can complicate things. These override zones should only be served internally (to clients in your own network), but it's possible that end-user validation tools will detect that you have assumed authority over names you do not control.