Switching from forwarding to recursion
Will Lists
listswill at gmail.com
Tue Nov 1 13:22:08 UTC 2011
We recently tried a test to see how our internal servers would react to a
loss of their external peers, with the goal being that the internal servers
would switch from forwarding to doing recursive queries for clients.
Normally, the internal servers forward to the external servers. To
simulate the loss of the external servers, we pushed a new firewall rule
that blocked port 53 to the external servers from the internal servers.
That did seem to cause the internal servers to start using the root
servers in a recursive manner.
We did see that some recursive queries were answered, eventually, though
usually much, much slower than if the request had been forwarded as normal
to the external servers. We saw traffic (lots of traffic) going across the
firewall to the roots as well as multiple domain specific name servers, so
that flow path is working as best as I can tell. All servers are running
BIND 9.7.4.
The issue we saw was that the queries would time out more often than not
and on the off chance they did get an answer back to the requesting client,
it was very slow after several retries.
Am I missing something in the named.conf file? Is there something specific
I should be looking for in the syslog or daemon.log?
The relevant portion of the named.conf file for the INTERNAL view is below:
forwarders { NS2; NS1; };
forward first;
allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; };
recursion yes;
// zone: . [hint]
include "...";
The hints DB file is current as of the version of BIND in use (2011060800).
Thanks.
-Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111101/e1d84e7d/attachment.html>
More information about the bind-users
mailing list