Can someone explain forwarders and why I don't need them?

Herb Martin news at LearnQuick.com
Wed Jul 30 22:15:33 UTC 2003 

> I always used to think that in order for a named installed to work
> right, it'd need a forwarder to work correctly - ie, point it to the
> upstream DNS.

No, and in some sense there is no "upstream" DNS -- normal
case is for DNS to be in a Hierarchy from the "." root down.

Primary case is:  Any server that will resolve a name, has a list
of root server (cache file or root hints) and works from this
pre-configured root info down to TLD (e.g., .Com), to first level
domains (e.g., Microsoft.com, IBM.Com), and so on until it finds
a name server which knows the answer -- or exhausts the possibility
of finding that answer.

In THIS case -- no forwarder is involved.

> I noticed in this group (when searching for the answer to something else
> entirely) that you didn't need one. Odd, I thought, and removed it to
> see what'd happen. Suddenly I get much faster DNS. Huh?

Your milage may vary.

> However, if I removed it from a machine one firewall behind that (we
> have two networks that go Internet --dsl router-->network 1--firewall
> linux-->network 2) ie in network 2, that one ground to a halt, so I put
> it back and it worked fine again.

Forwarders are needed in three cases:

    1) Separate (disjoint) namespaces with different roots*
        (e.g., THE Intennet and another internal root with child domains)
        A DNS server can only use one separately rooted namespace
        (without assistance from something like a forwarder.)

    2) When your internal DNS servers are prevented by firewalls or
        forbidden by security policy from making contact

    3) To protect a WAN line:  consolidate the cache of public info
        on a single DNS (forwarder) server, or allow a server on the
        'other side' to use better bandwidth to make most of the requests.

Note:  #1 and #2 require forwarders -- #3 makes forwarders desirable.

*It takes special configuration of BIND (etc) to do this one reliably --
MS DNS (through 2003) does not support the necessary configuration.

Also note, all three "reasons" for using forwarders amount to:  Your
internal DNS servers cannot, or should not, contact the Internet root, nor
other nameservers in the public namespace.

More information about the bind-users mailing list