NS record for zone with forward

Wed Feb 28 00:37:52 UTC 2001

As the etherboy documentation states: "You should buy the book, it's
worth it.".

If a nameserver is master for a DNS zone, then it considers itself
knowledgeable about *everything* in that zone. It will always answer
queries in the zone *definitively* from its own authoritative data, and
not use the forwarding mechanism or NS records to go ask some other
server. If a nameserver is queried for a name in one of its master zones
and there is no entry for that name in the zone file, then it responds
with NXDOMAIN (authoritative "domain name does not exist"). There is no
"fallback" option where it will go and ask some other nameserver.

What this means at the bottom line -- and which the etherboy
documentation doesn't make very clear -- is that if you want the
internally-accessible version of your domain to be a superset of the
externally-accessible version, you have to maintain the external entries
in *both* zones. etherboy just says that the two nameserver instances
"can have different data for the same domain". This vague pronouncement
might have led you to believe that you could put part of your zone in one
instance and part of your zone in the other, and have them appear as a
coherent whole to internal clients. It doesn't work that way.

The NS records in either version of the zone should only contain the
nameservers which other *non-forwarding*, *non-authoritative* nameservers
should use for resolving names in the zone. So you wouldn't want to put
internal NS'es in the external version of the zone, or _vice_versa_.

Personally, I don't like the way etherboy sets up "two-headed" DNS. I run
"two-headed" on a couple of our firewalls, but instead of forwarding from
the internal to the external instance, I just set up the internal
instance with an Internet hints file. That way I can turn off recursion
completely on the external instance, thus keeping my memory consumption
to a minimum. I have other, less-important differences of opinion with
the etherboy method, but why belabor the point?

- Kevin

Chris J. Herbst wrote:

> I'm following the procedure outlined at
> http://www.etherboy.com/dns/chrootdns.html to achieve something
> similar.  If I were to set up 2 nameservers, one inside a firewall,
> another outside, what should I set as the NS record in the following
> zone:
>
> zone "somedomain." {
>         type master;
>         file "inside.db";
>         forwarders {1.2.3.4;};
> };

This zone definition is a bit confused. You should *either* have a
"file" clause (if "type master") *or* a "forwarders { x.x.x.x; };" clause
(if "type forward"). But not *both*. Note that "forwarders { }" is legal
in a master-zone definition, but it has a somewhat special meaning.

> 1.2.3.4 is outside the firewall, and somedomain is type master on both
> nameservers.  I've tried setting my NS record in inside.db to the
> RFC1918 address of the inside nameserver, and also as the hostname of
> 1.2.3.4 (also added an A record so is would resolve).

>
>
> If I set type forward here I can resolve everything on 1.2.3.4, but
> nothing in inside.db, this means it should work if I set it to type
> master, but it's not.  As soon as I set type master I can only resolve
> what's in inside.db.  So I'm thinking my NS record is broken?