Forwarding Environment

Danny Mayer mayer at gis.net
Sun Jun 10 17:57:37 UTC 2007 

Merton Campbell Crockett wrote:
> There is a changing in the guard at my company.  My responsibility  
> for DNS is being shifted to our IT subcontractor.  The IT  
> subcontractor has constructed a new DNS architecture based on the use  
> of forwarding.
> 
> There has been a significant increase in users reporting name  
> resolution problems and increased reports of network "slowness" that  
> may be related to problems resolving domain names.
> 
> At each of our corporate site's there is a server that runs the ISC  
> DHCP and BIND daemons.  Each server has a forwarders statement in its  
> global options that lists the IP addresses of three "core" name  
> servers located at site's with Internet access.  These also happen to  
> be the sites with the most network congestion.
> 
> I have been tasked to provide recommendations to management regarding  
> DNS.  I have used DNS forwarding in the past but in most instances it  
> was used to forward DNS requests to a server that could provide  
> reliable information about specific domains, i.e. there was a private  
> network connection and name server could resolve names in DNS zones  
> that were not accessible via the Internet.
> 
> My gut feeling is that there is something wrong with how the  
> forwarding architecture has been constructed.  I would like  
> clarification on generic issues in a forwarding environment.
> 

Right. The only time you should use forwarders are for private zones and
you forward only those queries to the nameservers which have the answers
to those queries. There is no benefit to global forwarding and you
become totally dependent on those forwarders for responses. So if one
goes down for any reason you lose. If the subcontractor comes back and
says that it's because they are pooling cached results it's really not
buying you anything. There are just too many names being searched to
make the benefit likely and too many risks. DNS is by its design
distributed so having requests funneled is self-defeating.

Danny

More information about the bind-users mailing list