ShaneGibson posted this little gem to the mailing list.

{{{On 3 Apr 2002, Adam Shand wrote: > The only problem I can see with this is that without an uplink to the > internet so DNS works you'll (and any clients) will have to go directly > to the gateway by IP address in order to get the splash page, otherwise > you'll hang indefinately waiting for the DNS to resolve. > > I've been thinking about twiddling around with a DNS server and seeing > if I can figure out how to get a DNS server to always respond to any DNS > query with it's own IP address for situations like this. > > I think dnsmasq might do it, or otherwise you could probably do it by > replacing the root.cache file in your bind setup but I haven't actually > done it to see what caveats may exist.}}}

We do DNS spoofing in our QA network environment. Since the QA data utilizes production data in it's environment, we don't want stuff leaking out to the outside world on accident. So we insure that all DNS resolution for "real" domains is spoofed by our internal DNS. We also block outbound data via the firewall, but just in case... This is essentially what Adam is talking about above (or one approach to the issue). Here's how we do it. (Note: IPs have been changed to protect the not-so-innocent!)

In your /etc/named.conf

{{{/* named runs chroot'ed to /var/named */ options {


zone "." {


zone "localhost" {


zone "" {


zone "" {


The important file is root.db and needs to look like this:

{{{$TTL 1h . IN SOA (


. IN A . IN MX 10 *. IN CNAME .}}}

This simply wildcards all lookups to resolve locally, and we now have spoofed everything. Works like a charm for us. May be of some use in the above proposed setup.