How to stop BIND9 from being an authoritative DNS server for a host?

Question

Until recently I've been using BIND9 on my on-premises server (Ubuntu 16.04 w/LAMP). But then I decided to move one of my site to remote 3rd party hosting. Obviously, I changed the DNS servers on site's registrar's website and the site works fine. The problem is that on my LOCAL machine (where BIND9 is), it still points me to my local installation of that host.

Answer 1

Stop being authoritative for the domain

Remove the zone from BIND's configuration, i.e. remove

zone "example.com" { type master; file "/etc/bind/db.example.com"; };

and then reload the configuration with

$ sudo rndc reload

Separate your authoritative and recursive DNS infrastructure

You probably have nameserver 127.0.0.1 in your /etc/resolv.conf. You could remove it and add recursive name servers you can use as resolvers.

Although it is technically possible to have both recursive and authoritative roles on the same server, it is not recommended. There are several reasons for this isolation:

• Preventing amplification attacks (RFC 5358, 4).

• Preventing DNS cache poisoning, although this is mostly a historical reason best explained in the 3rd edition of Nemeth, E., Snyder, G., Seebass, S., & Hein, T. (2000). UNIX system administration handbook. Pearson Education. (Chapter 16 THE DOMAIN NAME SYSTEM; The BIND software; Authoritative and caching-only servers.):

  In BIND4 and BIND 8, it wasn't a good idea to use a single name server as an authoritative server for some zones and as a caching server for others. Each named ran with a single in-memory database, and cross-contamination could occur if memory was tight and cached data mixed with authoritative data. BIND 9 has eliminated this problem, so mix away.

• For stability / load balancing: authorative name servers are crucial part of the Internet, as almost everything else relies on DNS. Therefore, we should not allow technical errors or high loads an a recursive server to affect the performance of this system.

• Preventing this exact situation, where a name server stops being authoritative for the domain, but the local configuration keeps it answering authoritatively and eventually with outdated records.