Why use Forwarders?

[Bill Larson]

On Thursday, March 11, 2004, at 07:59 AM, Oli Comber wrote:

> I've had problems recently with my bind9 setup where resolution would 
> be
> very slow or not work at all when using Forwarders.

In this situation, it sounds like you have made a poor choice of what 
server(s) to forward your queries to.  Generally, you want to select a 
server based upon it's ability to respond quickly to your queries or 
else you would perform the whole query yourself.

> Now I'm not using them, resolution is fine and dandy and very fast.
>
> It makes no difference to me whether I use Forwarders or not - I'm on a
> small home network, no need for load balancing.

Forwarding doesn't provide "load balancing", or I'm not sure what you 
are referring to.

> Why would one want to use a forwarder instead of doing a lookup
> directly?

What would you do if you were on a network that had a firewall that 
prevented outgoing DNS queries except from a certain set of "allowed" 
DNS servers?  You would use forwarding to one of these "allowed" 
servers. These servers should provide quick responses to your queries.

Another possibility for where you would definitely need to use 
forwarding is if your organization has a separate set of name servers 
for an internally defined zone  that you want to be able to resolve but 
your server is not a slave to this zone.  This would be the situation 
where your organization uses "split-horizon" DNS services, ie. 
different DNS information for internal queries compared to external 
queries.

Still another possibility is that your organization wants to minimize 
it's need to make DNS queries on it's Internet connection.  By using 
forwarding the organization can help to minimize the number of repeated 
queries by having caching name servers that are used as forwarders.  
I'm not too sure how useful this is anymore with DSL and Cable Modems 
providing minimal Internet connections, the DNS traffic isn't much.  
Back in the good old days when phone modems provided Internet 
connectivity for whole organizations, then doing anything possible to 
minimize traffic was worthwhile.

> Does a DNS server have to be set up in a different way to be used as a
> forwarder?

Yes, it has to allow recursive DNS queries by any of the servers that 
are configured to forward to it.  For example, I wouldn't suggest 
forwarding all queries to any of the "microsoft.com" servers because 
I'm sure that they are configured to only provide answers for their own 
domain.

> Can a server recognise that it is being used as a Forwarder and
> prioritise against that?

By disallowing recursion on a name server you are eliminating the 
usefulness of the server to act as a forwarder.

For a GOOD example of how to configure a server to allow and disallow 
forwarding for specific networks look at the "Secure BIND Template" at 
http://www.cymru.com/Documents/secure-bind-template.html.  Rob does an 
excellent job explaining how to configure this.

> I'm a bit confused - I don't like things that suddenly start working by
> magic!

As Jim Reid identified in another followup, it doesn't sound like you 
have to use forwarding in your situation so why even fight with trying 
to configure it.

I would suggest that you configure your server to limit it's ability to 
provide recursive DNS service for the whole world.  I'm sure that 
someone will argue with this statement, but this is a generally 
accepted "best practice".  My opinion is that everyone should already 
have access to some DNS server as provided by their ISP.  If their ISP 
doesn't provide this service for them, then they should know how to 
provide it themselves.  Generally, people that make use of someone 
else's DNS services for general purpose use are people that are up to 
no good.  Again, my opinion only.

Bill Larson