Bounding Unicorns

How To Fix "your-dns-needs-immediate-attention.tld" When DNS Caching A Private TLD

My network structure is as follows:

  • My home network uses 10.0.3.0/24 netmask and a local TLD of here.
  • The gateway has the IP 10.0.3.254 and runs a DNS server for the local network. The DNS server performs three functions: it resolves local host names, blocks ads and provides caching for Internet host names.
  • My laptop runs its own DNS server locally to perform two of the above three functions: ad blocking and caching for Internet host names.
  • Laptop DNS server is configured to forward to the network-designated DNS server on the home network, otherwise not to forward.

I recently installed BIND 10 on the laptop and since then, the host names on my local network have all been resolving to your-dns-needs-immediate-attention.here (127.0.53.53).

The cause of this behavior turned out to be name collision warning feature mandated by ICANN recently and implemented in BIND 10. The gist of the situation is that many machines send queries meant for local DNS resolution to public DNS servers on the Internet. Historically, these local queries failed to resolve and subsequent queries were sent that accomplished the desired effect. ICANN has now mandated that public DNS resolvers respond to these queries now with the special 127.0.53.53 response, reverse resolved to your-dns-needs-immediate-attention. The affected queries are those for TLDs that are not currently registered with ICANN, i.e., those for made-up TLDs like I am running.

ICANN provides more details in the full explanation here.

The mental leap involved was realizing that BIND instance on my laptop fancied itself an Internet name server - when it received a request for host name with an unofficial TLD, instead of forwarding said request to its upstream DNS server when I am on my home network, the laptop BIND server returned 127.0.53.53.

Armed with this knowledge, a workaround is quite straightforward: there is a new zone type forward added to BIND, and on my laptop I set up a forward zone for my private network directed to the network's DNS server:

zone "here" {
  type forward;
  forwarders { 10.0.3.254; };
};

The downside to this workaround is that it hardcodes the origin DNS server. Not a big deal really as I script other parts of BIND configuration on the laptop, and can quite easily script this part as well.

Happy BINDing!