Forwarding under which conditions?
Barry Margolin
barmar at alum.mit.edu
Tue Jun 13 11:08:48 UTC 2006
In article <e6lu48$ftq$1 at sf1.isc.org>,
Arik Raffael Funke <arik.funke at gmx.de> wrote:
> Barry Margolin wrote:
> > Arik Raffael Funke <arik.funke at gmx.de> wrote:
> >> Can anybody summarise briefly when to and when not to use forwarding? I
> >> thought I use local caching such as to speed up queries.
> >
> > Use forwarding when there's something preventing you from contacting
> > other servers on the Internet, like a firewall.
> >
> > Whether you use forwarding or not, your server will still cache the
> > results.
>
> My internal clients cannot reach the public dns servers directly due to
> non-public ips.
The clients don't matter, what matters is whether your SERVER can reach
public servers.
> If I simply forward dns queries with iptables to an
> external dns, the external dns caches the info, but I still have to get
> it to my local network every time a query is run. I thus have a delay -
> especially if the remote machine is slow. I was looking to eliminate
> this delay.
BIND forwarding is not like iptables forwarding. It's not just passing
the packets through, it's still a DNS server. When you enable
forwarders, you're just telling it "Instead of asking the authoritative
servers yourself, ask these servers; either way, cache the results."
In general, asking the authoritative servers will be better, because the
TTLs of the responses will be longer. Suppose one your users looks up a
record whose authoritative TTL is 60 minutes, and you forward to your
ISP's server. If it cached the record 59 minutes ago, the record you
receive will have a 1-minute TTL, so you'll have to look it up again if
one of your users asks again a minute later. But if you go to the
authoritative server directly, you'll get the full 60 minute TTL and
won't have to query again for an hour.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list