Knowledge Base ISC Main Website Ask a Question/Contact ISC
How do I answer for a specific hostname in a zone, but resolve all its other names normally?
Author: Reference Number: AA-01190 Views: 14733 Created: 2014-08-01 17:40 Last Updated: 2018-04-20 23:33 100 Rating/ 1 Voters


A common wish among many sites with internal-only nameservers is the desire on an otherwise caching-only resolver to override one (or more) single name(s) from the Internet.

Suppose your company is "" and your authoritative DNS is hosted elsewhere. But you need "" to resolve to internal addresses and 2001:db8:15c:b9::1 for the users at your site.


The answer is to add an authoritative zone for "" to your named.conf file, with the desired A/AAAA record(s) at the apex of the zone:

# named.conf (or a file included therein by 'include "/path/to/file";'):

zone "" IN {
    type master;

    # This assumes the default directory location in the "options" stanza
    file "";


And the "" file might look like this:

$TTL 1h
; every zone must have SOA ...
@    IN        SOA    @ (
            42    ;serial
            3h    ;refresh
            15m   ;retry
            1w    ;expiry
            1h    ;minimum
; ... and NS also.
@    IN        NS    @

; addresses for
@            A
@            AAAA    2001:db8:15c:b9::1

Use "rndc reconfig" to reload the configuration and enable the new zone, or an "rndc addzone" command can do this at runtime, without editing named.conf, if the allow-new-zones option is set to yes:

$ rndc addzone '{ type master; file ""; };'

All names under that label are overridden also!

Note that limitations of the DNS protocol mean that all names under the label, "", such as "" or "" are also overridden by this zone statement. If such names exist in the parent zone, they won't resolve for users of this internal nameserver. (But they could be added to the sample zone.)


Dnsmasq is an easy-to-use integrated DHCP server and DNS forwarding server. In a case like this, dnsmasq might be a viable alternative.  Because dnsmasq is not a complete DNS implementation like BIND, names under the label are not affected.  Note that dnsmasq requires an upstream forwarding nameserver (such as BIND) to do recursion for names for which it is not authoritative.

What about DNSSEC?

DNSSEC can complicate things. These override zones should only be served internally (to clients in your own network), but it's possible that end-user validation tools will detect that you have assumed authority over names you do not control.

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback 1
  • #
    [ Dominian]: BIND information 2015-05-13 14:42

    This article, specifically on the BIND side, is what I was looking for setting up an internal DNS server that will eventually serve authoritative zones internally for my network, but allow me to also serve up specific hosts I need to resolve internally as well as externally.

    Thank yoU!

Quick Jump Menu