Forwarding environment questions

Mark Andrews Mark_Andrews at isc.org
Mon Nov 26 05:56:39 UTC 2007 

> I am currently in the process of re-structuring a fairy large BIND environment
> and have a few questions regarding forwarding.  Here is a simple overview of the 
> enviornment that I have in mind for Internal DNS:
> 
> * Internal Master (authoritative, uses forwarders to caching only servers for non-authoritative queries)
>  `- Slave 1 (authoritative, uses forwarders to caching only servers for non-authoritative queries)
>   - Slave 2 (authoritative, uses forwarders to caching only servers for non-authoritative queries)
>   - Slave 3 (authoritative, uses forwarders to caching only servers for non-authoritative queries)
>   - Slave 4 (authoritative, uses forwarders to caching only servers for non-authoritative queries)
> * Caching only nameserver 1 (no authoritative data, all other internal BIND servers forward to these for recursive queries)
> * Caching only nameserver 2
>   
> I am trying to follow best practices in that authoritative servers (masters and slaves) should
> not allow recursive lookups, but should use forwarders if necessary. Due to the nature of the 

	There is no "but should use forwarders if necessary".

> existing environment, all clients are pointing to either the internal master or slave servers for
> all name resolution (internal resolution, and recursive resolution).  In order to keep these
> authoritative servers from doing recursive lookups, my plan is to have them all use a forwarders statement
> in the global options to forward all recursive lookups to the two "Caching only nameservers" that
> we have in our environment.  Is using forwarders in this way considered to be a good practice versus
> these authoritative servers going out to the Internet directly for resucrsive lookups using root hints?
> 
> I am also a bit confused about the forwarders statements on the slave servers.  It is my understanding 
> that they will only use the forwarders (that are defined in options) if the nameserver does not
> contain authoritative data for the zone.. this is the case for slave zones as well?  Or do I need
> to specify "forwarders { };" for each of the zones on the slaves to force it to use the local authoritative
> data?  
> 
> I greatly appreciate any input or suggestions that you have.
> 
> Thanks,
> 
> Josh Baird

	You have totally missed the point of seperating recursive
	and authoritative services.

	Firstly, do not use forwarders unless you know what you are
	doing.  Forwarders are there for very specific configuration
	issues.  Forwarders are one of the most abused configuration
	options is named.conf.

	For authoritative servers you really only need.

		options {
			recursion no;
			allow-query-cache { none; };
		};

		<zone definitions>

	That will isolate the clients from anything the server
	learns as it does its notify processing.  Note, authoritative
	servers (masters and slaves) will still ask question so
	they still need a hint zone.

	Caches can be slaves of zones but they should not be listed
	in the NS RRset for the zones.  It is actually common for
	caches to be slave of internal zones as a override mechanism.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list