Multiple DNS Forwards

Fri May 26 22:21:56 UTC 2000

If your version of BIND supports one selective forward, it will certainly
accept multiples. Are you absolutely certain the syntax is correct? Depending
on how you have your logging configured -- including where you place your
"logging" statement -- you may not be seeing the parse errors.

The only other thing to do would be to turn on debugging. The
_DNS_and_BIND_ book has some information on how to interpret debugging output.
Or just post relevant sections. In particular, you'd want to look at what zone
it's finding the queries in and whether it is attempting to forward the
queries. When debugging, I'd recommend using dig instead of nslookup: among
other things, "dig" doesn't make any of those extraneous PTR queries or do
follow any "searchlist" algorithm that would clutter up the debug logs with
irrelevant queries and make them more difficult to interpret.

- Kevin

Dave Walsh wrote:

> Hi Kevin,
>
> I don't know why but they didn't cut and paste very well. Rest assured, they
> are there and I didn't get any errors in my syslog. I don't know why it's
> not taking the second forward.
>
> Dave
>
> "Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
> news:392EBDE8.3BA3893E at daimlerchrysler.com...
> > I believe someone else (Barry?) pointed out that you have some syntax
> errors in
> > the named.conf that you attached previously (and I totally missed those,
> shame
> > on me!). Maybe that's the root of your problem.
> >
> >
> > - Kevin
> >
> > Dave Walsh wrote:
> >
> > > Hi Kevin,
> > >
> > > Thanks again for your response.  I really do appreciate your help since
> I'm
> > > so new to DNS.  I've read DNS & BIND and am starting to get a handle on
> it a
> > > bit better.  However, this feature is not very well documented -- at
> least
> > > that I can find.
> > >
> > > Anyway, I haven't tried dig, but I did to an nslookup and used the
> server
> > > 158.138.120.22 (server=158.138.120.22) to see if it could resolve
> addresses
> > > in hal.us.partnerco.com and it was fine.  The thing is, I'm not seeing
> the
> > > requests even being sent out my firewall to resolve these addresses
> which
> > > leads me to believe that it can't handle the second forward.  That is,
> it
> > > can use my general forward statement, and my first specific forward
> (i.e.
> > > partner.com), but it doesn't seem to go to the next one.  Can this
> selective
> > > forwarding only use one or can it use multiple?
> > >
> > > Thanks again.
> > >
> > > Dave
> > >
> > > "Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
> > > news:392C3C3D.5A32504E at daimlerchrysler.com...
> > > > It could be that 158.138.120.22 is authoritative for "partner.com" but
> > > > *not* "hal.us.partnerco.com", and has recursion turned off. What
> happens
> > > if
> > > > you just point a command-line utility like "dig" at 158.138.120.22 and
> try
> > > to
> > > > resolve those names? Is the RA (Recursion Available) bit set on the
> > > > response? Maybe you need to ask your partner what server you should be
> > > using
> > > > to resolve the names.
> > > >
> > > >
> > > > - Kevin
> > > >
> > > > Dave Walsh wrote:
> > > >
> > > > > Below is the content of my original question and the answer (from
> the
> > > BIND
> > > > > archives). Your solution worked great. However, our partner company
> has
> > > now
> > > > > expanded or decentralized and they also have more than just
> partner.com
> > > > > names to resolve. They now have hal.us.partnerco.com. I tried
> putting in
> > > > > another entry in my named.conf, but it doesn't seem to resolve hosts
> in
> > > > > hal.us.partnerco.com, but partner.com does still work.
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > TIA
> > > > >
> > > > > Dave
> > > > >
> > > > > EXAMPLE: named.conf
> > > > >
> > > > > =====================
> > > > >
> > > > > options {
> > > > >
> > > > > directory "/var/named";
> > > > >
> > > > > forwarders { 227.252.18.10; };
> > > > >
> > > > > forward only;
> > > > >
> > > > > query-source address * port 53;
> > > > >
> > > > > };
> > > > >
> > > > > zone "0.0.127.IN-ADDR.ARPA" in {
> > > > >
> > > > > type master;
> > > > >
> > > > > file "db.127.0.0";
> > > > >
> > > > > notify no;
> > > > >
> > > > > };
> > > > >
> > > > > zone "mycompany.ca" in {
> > > > >
> > > > > type master;
> > > > >
> > > > > file "db.mycompany";
> > > > >
> > > > > };
> > > > >
> > > > > ** NOTE: I CAN RESOLVE HOSTS IN PARTNER.COM
> > > > >
> > > > > zone "partner.com" {
> > > > >
> > > > > type forward;
> > > > >
> > > > > forward only;
> > > > >
> > > > > forwarders { 158.138.120.22; }
> > > > >
> > > > > }
> > > > >
> > > > > ** NOTE: I CAN'T RESOLVE HOSTS IN HAL.US.PARTNERCO.COM
> > > > >
> > > > > zone "hal.us.partnerco.com" {
> > > > >
> > > > > type forward;
> > > > >
> > > > > forward only;
> > > > >
> > > > > forwarders { 158.138.120.22; }
> > > > >
> > > > > }
> > > > >
> > > > > zone "57.168.192.IN-ADDR.ARPA" in {
> > > > >
> > > > > type master;
> > > > >
> > > > > file "db.192.168.57";
> > > > >
> > > > > };
> > > > >
> > > > > zone "0.1.10.IN-ADDR.ARPA" in {
> > > > >
> > > > > type master;
> > > > >
> > > > > file "db.10.1.0";
> > > > >
> > > > > };
> > > > >
> > > > > zone "0.30.10.IN-ADDR.ARPA" in {
> > > > >
> > > > > type master;
> > > > >
> > > > > file "db.10.30.0";
> > > > >
> > > > > };
> > > > >
> > > > > zone "148.208.198.IN-ADDR.ARPA" in {
> > > > >
> > > > > type master;
> > > > >
> > > > > file "db.198.208.1481";
> > > > >
> > > > > };
> > > > >
> > > > > // zone "." in {
> > > > >
> > > > > // type hint;
> > > > >
> > > > > // file "db.cache";
> > > > >
> > > > > // };
> > > > >
> > > > > END NAMED.CONF
> > > > >
> > > > > ORIGINAL CORRESPONDENCE
> > > > >
> > > > > There is really no such thing as "conditional" forwarding in BIND 8.
> > > There
> > > > >
> > > > > is, however, "selective" forwarding. The difference is more than
> > > semantic:
> > > > >
> > > > > selective forwarding works *unconditionally*, i.e. has no relation
> to
> > > > >
> > > > > events or state, but is specified on a zone-by-zone basis, i.e. all
> > > queries
> > > > >
> > > > > in a specific zone X should be forwarded to a specific set of
> servers Y,
> > > Z,
> > > > >
> > > > > etc.. In your case, you'd set up a zone of type "forward" for your
> > > business
> > > > >
> > > > > partner's domain, let's call it "partner.com". And also in the zone
> > > > >
> > > > > definition you'd specify "forward only" and a "forwarders" clause
> > > > >
> > > > > containing the addresses of the partner's nameservers. So it would
> look
> > > > >
> > > > > something like:
> > > > >
> > > > > zone "partner.com" {
> > > > >
> > > > > type forward;
> > > > >
> > > > > forward only;
> > > > >
> > > > > forwarders { x.x.x.x; y.y.y.y; };
> > > > >
> > > > > }
> > > > >
> > > > > In your situation, selective forwarding would probably be better
> than
> > > > >
> > > > > conditional forwarding anyway, which would waste time and resources
> > > sending
> > > > >
> > > > > queries to the wrong places.
> > > > >
> > > > > A couple of other alternatives to consider, depending on your
> > > performance
> > > > >
> > > > > characteristics and/or requirements, or redundancy requirements,
> would
> > > > >
> > > > > include stub or slave zones.
> > > > >
> > > > > - Kevin
> > > > >
> > > > > Dave_Walsh wrote:
> > > > >
> > > > > > We are a satellite organization of our parent organization. At
> > > present,
> > > > >
> > > > > >
> > > > >
> > > > > > all of our Win95 PCs point to my local DNS server with a forward
> > > > >
> > > > > > statement
> > > > >
> > > > > > to our parent organization's DNS server for name resolution. In
> other
> > > > >
> > > > > > words, anything not resolved locally, will be forwarded to our
> > > corporate
> > > > >
> > > > > >
> > > > >
> > > > > > head office (where our Internet access is also). We've recently
> > > > >
> > > > > > acquired a
> > > > >
> > > > > > project with a business partner that requires only our location to
> > > have
> > > > >
> > > > > > access to the partner's DNS server so I can resolve names in their
> > > name
> > > > >
> > > > > > space.
> > > > >
> > > > > >
> > > > >
> > > > > > What's the best approach to accomodate all my needs? I must be
> able to
> > > > >
> > > > > > resolve local IP names, corporate names in the corporate WAN,
> Internet
> > > > >
> > > > > > names (via corporate) & the names at our new business partner. Can
> I
> > > > >
> > > > > > put on a second
> > > > >
> > > > > > forwarder statement on my local DNS server that will effectively
> say,
> > > > >
> > > > > > "if
> > > > >
> > > > > > you can't resolve it yourself, try the corporate DNS, if you can't
> > > > >
> > > > > > resolve
> > > > >
> > > > > > it there, try the partner DNS?".
> > > > >
> > > > > >
> > > > >
> > > > > > Mr. DNS says that conditional forwarding of BIND 8.2 will do it.
> I'm
> > > > >
> > > > > > pretty new to DNS. Can someone please advise.
> > > > >
> > > > > >
> > > > >
> > > > > > TIA
> > > > >
> > > > > >
> > > > >
> > > > > > Dave
> > > > >
> > > > > >
> > > > >
> > > > > > -- Binary/unsupported file stripped by Listar --
> > > > >
> > > > > > -- Type: text/x-vcard
> > > > >
> > > > > > -- File: Dave_J_Walsh.vcf
> > > > >
> > > > > > -- Desc: Card for Dave_Walsh
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> >
> >
> >
> >
> >
> >