Forwarders 1000000 + 1

Georg Ulfig georg at ulfig.de
Fri Jan 19 10:04:03 UTC 2001 

<peter at icke-reklam.ipsec.nu.invalid> schrieb im Newsbeitrag
news:947qc0$3n1 at pub3.rc.vix.com...
>
> Georg Ulfig <georg at ulfig.de> wrote:
>
> > Hello,
>
> > I have not found a solution for my problem in this newsgroup so I will
p=
> ost
> > it here.
>
> > My configuration: SuSE7 Linux, Bind8, Dial on Demand, masquerading,
dyna=
> mic
> > IPs.
>
> > My first attempt was to set my providers name server address as
forwarde=
> r
> > plus forwarding only.
>
> > Problem: If a name server request (unfortunately UDP) has to be
forwarde=
> d to
> > the name server of the provider, DoD opens a connection, but the
request=
>  is
> > lost, because UDP packets with a dummy IP (if the connection is not
> > established) can not be patched to "real IP" (after connection) .
> > My solution: I added my providers name server IP several times to the
> > forwarders list. This worked fine, because the name server now requests
=
> more
> > often the external name server.
>
> > New problem: Now I discovered that, even if my local dns has cached the
> > requested data, the forwarders will be asked for a specific name.
>
> if you use forward-only you might still go out.
> > New solution: no forwarders, not forward only -> only root name servers
=
> ->
> > this works fine but this is a DIRTY solution.
>
> This is the CLEAN solution. Why even bother with forwarding ?=20
>
> > Can anybody tell me, what I do wrong?
> Nothing, the last solution is ok.
> You will drop the first udp packet (until link has come up) but=20
> bind will retrensmit after a short delay.
>
> > Georg
>
>
>
>
>
>
>
>
> --=20
> Peter H=E5kanson               Phone     +46707328101       Fax
+463122319=
> 0
> IPSec sverige                Email      peter at ipsec.nu=20=20
> "Safe by design"             Address    Bror Nilssons gata 16
Lundbystran=
> d
>                                         S-417 55  Gothenburg
Sweden=20=20=
> =20=20=20=20=20=20=20
>
>
>



Hello Peter,

but do you think querying directly the root name servers is really OK? What
happens, if everybody is doing this? (lots of millions of requests).

Georg

More information about the bind-users mailing list