Forwarding environment questions
Mark Andrews
Mark_Andrews at isc.org
Mon Nov 26 05:56:39 UTC 2007
> I am currently in the process of re-structuring a fairy large BIND environment
> and have a few questions regarding forwarding. Here is a simple overview of the
> enviornment that I have in mind for Internal DNS:
>
> * Internal Master (authoritative, uses forwarders to caching only servers for non-authoritative queries)
> `- Slave 1 (authoritative, uses forwarders to caching only servers for non-authoritative queries)
> - Slave 2 (authoritative, uses forwarders to caching only servers for non-authoritative queries)
> - Slave 3 (authoritative, uses forwarders to caching only servers for non-authoritative queries)
> - Slave 4 (authoritative, uses forwarders to caching only servers for non-authoritative queries)
> * Caching only nameserver 1 (no authoritative data, all other internal BIND servers forward to these for recursive queries)
> * Caching only nameserver 2
>
> I am trying to follow best practices in that authoritative servers (masters and slaves) should
> not allow recursive lookups, but should use forwarders if necessary. Due to the nature of the
There is no "but should use forwarders if necessary".
> existing environment, all clients are pointing to either the internal master or slave servers for
> all name resolution (internal resolution, and recursive resolution). In order to keep these
> authoritative servers from doing recursive lookups, my plan is to have them all use a forwarders statement
> in the global options to forward all recursive lookups to the two "Caching only nameservers" that
> we have in our environment. Is using forwarders in this way considered to be a good practice versus
> these authoritative servers going out to the Internet directly for resucrsive lookups using root hints?
>
> I am also a bit confused about the forwarders statements on the slave servers. It is my understanding
> that they will only use the forwarders (that are defined in options) if the nameserver does not
> contain authoritative data for the zone.. this is the case for slave zones as well? Or do I need
> to specify "forwarders { };" for each of the zones on the slaves to force it to use the local authoritative
> data?
>
> I greatly appreciate any input or suggestions that you have.
>
> Thanks,
>
> Josh Baird
You have totally missed the point of seperating recursive
and authoritative services.
Firstly, do not use forwarders unless you know what you are
doing. Forwarders are there for very specific configuration
issues. Forwarders are one of the most abused configuration
options is named.conf.
For authoritative servers you really only need.
options {
recursion no;
allow-query-cache { none; };
};
<zone definitions>
That will isolate the clients from anything the server
learns as it does its notify processing. Note, authoritative
servers (masters and slaves) will still ask question so
they still need a hint zone.
Caches can be slaves of zones but they should not be listed
in the NS RRset for the zones. It is actually common for
caches to be slave of internal zones as a override mechanism.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list