empty-zones-enable should implicitly specify "forwarders {};" on empty zones
Summary
The purpose of the "empty-zones-enable" option, when set to "yes" (default setting), is to prevent reverse DNS look-ups of private IP addresses leaking out to the Internet. However when the "forwarders" option has been specified with a non-blank value (at the options or view level), the observed behaviour is that these queries are sent to the forwarders. These queries should be answered locally instead of being forwarded.
BIND version used
BIND 9.18.1
Steps to reproduce
Specify the following configuration for BIND:
options {
forwarders {
1.1.1.1;
};
# empty-zones-enable is set to yes by default
};
(edit: this was log copy&pasted from a different configuration)
Note that when BIND starts up it logs something like this:
zoneload: automatic empty zone: view XXX: 168.192.IN-ADDR.ARPA
Then use dig to perform reverse look-up of a private IP address - e.g.: dig -x 192.168.1.1
What is the current bug behavior?
BIND logs show that the request was sent to the forwarders specified in the options:
16-Oct-2022 14:23:17.568 queries: info: client @0x7fdd7c036758 ::1#34016 (1.1.168.192.in-addr.arpa): view XXX: query: 1.1.168.192.in-addr.arpa IN PTR +E(0)K (::1)
16-Oct-2022 14:23:17.604 lame-servers: info: no valid RRSIG resolving '168.192.in-addr.arpa/DS/IN': 1.1.1.1#53
16-Oct-2022 14:23:17.604 lame-servers: info: broken trust chain resolving '1.1.168.192.in-addr.arpa/PTR/IN': 1.1.1.1#53
16-Oct-2022 14:23:17.604 query-errors: info: client @0x7fdd7c036758 ::1#34016 (1.1.168.192.in-addr.arpa): view XXX: query failed (broken trust chain) for 1.1.168.192.in-addr.arpa/IN/PTR at query.c:7649
What is the expected correct behavior?
The queries relating to the zones created by the empty-zones-enable option should be answered locally.
Relevant configuration files
See above.
Relevant logs and/or screenshots
See above.
Possible fixes
The zones created by the empty-zones-enable option should contain an implicit "forwarders {};" setting which would stop these queries from being forwarded.
If the administrator actually does want these requests to be forwarded, they should specify "empty-zones-enable no;" or "disable-empty-zone ...".