How do I answer for a specific hostname in a zone, but resolve all its other names normally?



A common wish among many sites with internal-only nameservers is the desire on an otherwise caching-only resolver to override one (or more) single name[s] from the Internet.

Suppose your company is "" and your authoritative DNS is hosted elsewhere. But you need "" to resolve to an internal address for the users at your site.


The answer is to add an authoritative zone for "" to your named.conf file, with the desired A/AAAA record[s] at the apex of the zone:

# named.conf (or a file included therein by 'include "/path/to/file";'):

zone "" IN {
    type master;
    # This assumes the default "directory location in the
    # options {} stanza
    file ""

And the "" file might look like this:

$TTL 1h
; every zone must have SOA ...
@    IN        SOA    @ (
            42    ;serial
            3h    ;refresh
            15m    ;retry
            1w    ;expiry
            1h    ;minimum
; ... and NS also.
@    IN        NS    @
; RFC 1918 address
@            A
; RFC 3849 address
@            AAAA    2001:DB8:i5c:b9::1
; add any other records you need

Use "rndc reconfig" to reload the configuration and enable the new zone, or an "rndc addzone" command can do this at runtime, without editing named.conf, if the "allow-new-zones" option is set to yes:

$ rndc addzone '{ type master; file ""; };'

All names under that label are overridden also!

Note that limitations of the DNS protocol mean that all names under the label, "", such as "" or "" are also overridden by this zone statement. If such names exist in the parent zone, they won't resolve for users of this internal nameserver. (But they could be added to the sample zone.)


Dnsmasq is an easy-to-use integrated DHCP server and DNS forwarding server. In a case like this, dnsmasq might be a viable alternative.  Because dnsmasq is not a complete DNS implementation like BIND, names under the label are not affected.  Note that dnsmasq requires an upstream forwarding nameserver (such as BIND) to do recursion for names for which it is not authoritative.

What about DNSSEC?

DNSSEC can complicate things. These override zones should only be served internally (to clients in your own network), but it's possible that end-user validation tools will detect that you have assumed authority over names you do not control.