BIND named and DNS servers

BIND 9.16.31

The forwarders.conf is always changed to that shown below. I do not want two of the listed IPs (2620:119:35::35 and 208.67.222.222). Removing them manually is futile; every time named is restarted, those IPs reappear.

I have searched in vain for where netconfig thinks it is a wise plan to add those IPs.

cat /etc/named.d/forwarders.conf
### /etc/named.d/forwarders.conf is a symlink to /var/run/netconfig/bind-forwarders.conf
### autogenerated by netconfig!
### Call "netconfig update -f" to force adjusting of /etc/named.d/forwarders.conf.
forwarders {
    64.119.32.100;
    8.8.8.8;
    13.58.209.22;
    2620:119:35::35;
    2001:4860:4860::8888;
    208.67.222.222;

However, in the named working directory:

forwarders {
    8.8.8.8;
    13.58.209.22;
    64.119.32.100
    2001:4860:4860::8888;

which what I want. named, however, does not use that file for the forwarder configuration. Rather it uses the one further above.

The reason I wish to remove those IPs is that the named.log file is cluttered with these messages:

21-Aug-2022 11:01:06.869 resolver: notice: DNS format error from 208.67.222.222#53 resolving 80.209.35.in-addr.arpa/DS for <unknown>: invalid response
21-Aug-2022 11:03:28.090 resolver: notice: DNS format error from 208.67.222.222#53 resolving 80.209.35.in-addr.arpa/DS for <unknown>: invalid response
21-Aug-2022 11:03:38.119 resolver: notice: DNS format error from 208.67.222.222#53 resolving lovepop.com/DS for <unknown>: invalid response

While tidiness is hardly a priority, I am annoyed that I cannot remove those IPs from named’s configuration.

Values in /etc/sysconfig/network/config:

NETCONFIG_MODULES_ORDER="dns-resolver dns-bind dns-dnsmasq nis ntp-runtime"
NETCONFIG_DNS_POLICY="auto"
NETCONFIG_DNS_FORWARDER="bind"
NETCONFIG_DNS_FORWARDER_FALLBACK="yes"
NETCONFIG_DNS_STATIC_SEARCHLIST="sma.com"
NETCONFIG_DNS_STATIC_SERVERS=" 64.119.32.100 8.8.8.8 13.58.209.22"
NETCONFIG_DNS_RANKING="auto"
NETCONFIG_NTP_POLICY="auto"
NETCONFIG_NTP_STATIC_SERVERS=""
NETCONFIG_NIS_POLICY="auto"
NETCONFIG_NIS_SETDOMAINNAME="yes"
NETCONFIG_NIS_STATIC_DOMAIN=""
NETCONFIG_NIS_STATIC_SERVERS=""

Options in named.conf:

options {
        directory "/var/lib/named";
        dump-file "/data01/var/log/named/named_dump.db";
        statistics-file "/data01/var/log/named/named.stats";
        zone-statistics yes;

        #forwarders { 192.0.2.1; 192.0.2.2; };

        listen-on port 53 { any; };
        listen-on-v6 { any; };

        #query-source address * port 53;
        #transfer-source * port 53;
        #notify-source * port 53;

        allow-query { any; };
        recursion yes;
        # Prevent recursive queries, a la DNS Amplification DDoS
        # allow-recursion { none; };
        # allow-recursion { localip; };
        # allow-recursion { smanets; };
        # allow-transfer { localip; };
        # additional-from-cache no;

        notify no;

        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        include "/etc/named.d/forwarders.conf";
        also-notify {           };

        forward first;
        transfer-format many-answers;

        # all-per-second 20;  // covers all queries from client
        rate-limit {             referrals-per-second 5;            responses-per-second 5;             window 2;       };
};

Most likely it gets them from DHCP server.

However, in the named working directory:

a) what is named working directory?
b) this text cannot be in working directory, it can be in some file in working directory
c) why this file is relevant? The only file bind reads is /etc/named.conf and any other file has to be referenced starting from there.

Values in /etc/sysconfig/network/config:

NETCONFIG_MODULES_ORDER="dns-resolver dns-bind dns-dnsmasq nis ntp-runtime"
NETCONFIG_DNS_POLICY="auto"

Policy “auto” means merge DNS servers from all available sources. You could define policy STATIC to use only static list or “” to prevent netconfig from touching DNS configuration.

Options in named.conf:

options {
...
        #forwarders { 192.0.2.1; 192.0.2.2; };
...
        include "/etc/named.d/forwarders.conf";
...
};

Or you could simply add your forwarders list to named.conf and delete include “/etc/named.d/forwarders.conf”. This line is not there by default so you need to edit named.conf in any case.

Yes, that seems the useful solution. It works.

Still, it is bothersome that I cannot discover where the additional data is located. It is not from DHCP; the settings do not inlcude the unwanted IPs (though how could I be sure?). Obviously not in named.conf or the netconfig conf file.