DNS by design does not enable having an authoritative copy of all zones, as it utilizes a hierarchical naming system.
The root servers are authoritative for identifying the server responsible for the Top Level Domain (TLD) in question. For example, resolving www.example.net
will first query a root server to identify the authoritative nameserver for .net
. The .net
nameserver will identify the authoritative nameserver for example.net
, which will then return the record for www.example.net
.
You cannot download a copy of all zones. However, you can run a local caching nameserver. The caching nameserver will provide a local copy of all records resolved, which expire using the Time To Live (TTL) specified for the record. Please keep in mind that my explanation is a simplistic description of the DNS protocol, which can be explored in detail by reading definitions in the Request For Comments.
While NXDOMAIN hijacking can be avoided by running a local cache, keep in mind that all DNS resolution traffic will still be transmitted via your Internet connection unencrypted. Your ISP could potentially monitor that traffic and still see the communication. The contracts you have with your ISP as well as your local laws are going to be your definitive means for establishing how your communications are treated. Your ISP's contracts will include the Terms of Service, Privacy Policies and any additional contracts that you may have with your ISP.
Using encrypted protocols is one of the best methods for insuring your data against eavesdropping during transit. However, even that has no guarantee of anonymity. There are additional protocols out there such as Tor and Freenet, which attempt to introduce anonymity to the Internet, as it was never designed to be truly anonymous.
If you don't explicitly restrict zone transfer then Bind9 allows it by default.
http://www.zytrax.com/books/dns/ch7/xfer.html
Try doing it again after restricting zone transfer. Secondly if you are using them as secondary DNS, check if they accept notifications from master so that the update doesn't have to wait till the refresh timeout expires.
Best Answer
You're looking for statistics, so you'll want to read what the BIND Administrator Reference Manual has to say on BIND statistics. In particular:
Statistics can be dumped locally to the filesystem, or exposed over HTTP via the statistics channel. In the latter case you can remotely harvest the counters via a monitoring system by parsing the XML or JSON. The latter approach is definitely useful, but you'll want to make sure the HTTP socket isn't exposed to untrusted sources.
In my particular case, I wrote a
curl
andjq
based parser that takes JSON counters of interest and transforms them into the JSON format that Zenoss understands. The counters can then be graphed. Here's an example of what I'm doing with graphing query round trip time via the exposed RTT counters: