Why use Forwarders?
Bill Larson
wllarso at swcp.com
Thu Mar 11 16:28:27 UTC 2004
On Thursday, March 11, 2004, at 07:59 AM, Oli Comber wrote:
> I've had problems recently with my bind9 setup where resolution would
> be
> very slow or not work at all when using Forwarders.
In this situation, it sounds like you have made a poor choice of what
server(s) to forward your queries to. Generally, you want to select a
server based upon it's ability to respond quickly to your queries or
else you would perform the whole query yourself.
> Now I'm not using them, resolution is fine and dandy and very fast.
>
> It makes no difference to me whether I use Forwarders or not - I'm on a
> small home network, no need for load balancing.
Forwarding doesn't provide "load balancing", or I'm not sure what you
are referring to.
> Why would one want to use a forwarder instead of doing a lookup
> directly?
What would you do if you were on a network that had a firewall that
prevented outgoing DNS queries except from a certain set of "allowed"
DNS servers? You would use forwarding to one of these "allowed"
servers. These servers should provide quick responses to your queries.
Another possibility for where you would definitely need to use
forwarding is if your organization has a separate set of name servers
for an internally defined zone that you want to be able to resolve but
your server is not a slave to this zone. This would be the situation
where your organization uses "split-horizon" DNS services, ie.
different DNS information for internal queries compared to external
queries.
Still another possibility is that your organization wants to minimize
it's need to make DNS queries on it's Internet connection. By using
forwarding the organization can help to minimize the number of repeated
queries by having caching name servers that are used as forwarders.
I'm not too sure how useful this is anymore with DSL and Cable Modems
providing minimal Internet connections, the DNS traffic isn't much.
Back in the good old days when phone modems provided Internet
connectivity for whole organizations, then doing anything possible to
minimize traffic was worthwhile.
> Does a DNS server have to be set up in a different way to be used as a
> forwarder?
Yes, it has to allow recursive DNS queries by any of the servers that
are configured to forward to it. For example, I wouldn't suggest
forwarding all queries to any of the "microsoft.com" servers because
I'm sure that they are configured to only provide answers for their own
domain.
> Can a server recognise that it is being used as a Forwarder and
> prioritise against that?
By disallowing recursion on a name server you are eliminating the
usefulness of the server to act as a forwarder.
For a GOOD example of how to configure a server to allow and disallow
forwarding for specific networks look at the "Secure BIND Template" at
http://www.cymru.com/Documents/secure-bind-template.html. Rob does an
excellent job explaining how to configure this.
> I'm a bit confused - I don't like things that suddenly start working by
> magic!
As Jim Reid identified in another followup, it doesn't sound like you
have to use forwarding in your situation so why even fight with trying
to configure it.
I would suggest that you configure your server to limit it's ability to
provide recursive DNS service for the whole world. I'm sure that
someone will argue with this statement, but this is a generally
accepted "best practice". My opinion is that everyone should already
have access to some DNS server as provided by their ISP. If their ISP
doesn't provide this service for them, then they should know how to
provide it themselves. Generally, people that make use of someone
else's DNS services for general purpose use are people that are up to
no good. Again, my opinion only.
Bill Larson
More information about the bind-users
mailing list