Can someone explain forwarders and why I don't need them?

Michele Chubirka chubirka at bellatlantic.net
Thu Jul 31 12:27:46 UTC 2003 

This is PRECISELY how we use forwarders on our network. We have many
firewalled, "private" networks which have DNS servers inside the network
with a zone which is a small subdomain containing private addresses. The
same subdomain has public addresses on the "real" DNS servers outside the
private network. Also, all our Active Directory servers are in their own
subdomains and update/query MS forwarders. This seems to quarantine that MS
junk perfectly.

----- Original Message -----
From: "Joseph S D Yao" <jsdy at center.osis.gov>
To: "Alex Hulse" <alexhulse at hotmail.com>
Cc: <comp-protocols-dns-bind at isc.org>
Sent: Wednesday, July 30, 2003 6:32 PM
Subject: Re: Can someone explain forwarders and why I don't need them?


> On Wed, Jul 30, 2003 at 08:52:57PM +0100, Alex Hulse wrote:
> > I always used to think that in order for a named installed to work
> > right, it'd need a forwarder to work correctly - ie, point it to the
> > upstream DNS.
> >
> > I noticed in this group (when searching for the answer to something else
> > entirely) that you didn't need one. Odd, I thought, and removed it to
> > see what'd happen. Suddenly I get much faster DNS. Huh?
> >
> > However, if I removed it from a machine one firewall behind that (we
> > have two networks that go Internet --dsl router-->network 1--firewall
> > linux-->network 2) ie in network 2, that one ground to a halt, so I put
> > it back and it worked fine again.
> >
> > Really odd stuff! Any ideas?
>
> Normally, with a name server running on the public Internet, you will
> not need any forwarders.  You are born knowing the Root of All Names.
> From the Root, you can get information on Top Level Domains, Second
> Level Domains, and so on down, hierarchically.  Once you know the name
> and IP address of a domain's name server, you can ask it all the
> questions that you want, and it will answer you freely and happily.
> Life is bliss.
>
> A forwarder requires you to look in one particular place [or set of
> places] to get your DNS information.  It can be set to require forward
> "first", or forward "only".  It constrains your name server's freedom.
>
> Why would you want to do this to your gentle name server?  There are in
> fact times and circumstances in which, despite the "free love and info"
> promise of a network, there IS only one source of DNS information, or a
> small set of them.  In particular, if your name server is firewalled
> away from the public Internet so as to preserve its integrity, then the
> only place it can get external DNS information is via the firewall.  We
> need to be able to tell it to forward all "non-local" queries to the
> firewall.  And so we can.
>
> For a more complete explanation, run, do not walk, to your nearest
> purveyor of O'Reilly books, purchase a copy of Albitz & Liu's "DNS and
> BIND", Fourth Edition <URL: http://www.oreilly.com/catalog/dns4/>, or
> <URL: http://www.bookpool.com/.x/azjq2xtlx8/sm/0596001584>.  You may
> also wish to see the "DNS and BIND Cookbook", also by Cricket Liu,
> <URL: http://www.oreilly.com/catalog/dnsbindckbk/> or
> <URL: http://www.bookpool.com/.x/azjq2xjaim/sm/0596004109>.  Read them
> both before bedtime, and you will wake up with greater insight.  ;-)
>
> --
> Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao
> OSIS Center Systems Support EMT-B
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.
>
>

More information about the bind-users mailing list