Can internal root server also forward?

Kevin Darcy kcd at chrysler.com
Tue Aug 26 23:18:05 UTC 2008 

Delegating to a forwarder doesn't work. Only iterative resolvers follow 
delegations and they only send *non-recursive* queries. Non-recursive 
queries are never forwarded.

Unfortunately, if you want this to work through a narrow firewall 
conduit, you're going to have to set up a multi-level forwarding 
hierarchy, and apply it to *every* zone you want to resolve through that 
conduit, on *every* server that needs the name resolution. Multi-level 
forwarding hierarchies tend to be (as Cricket would say) "brittle", and 
to bottleneck.

 From a DNS infrastructure standpoint you're much better off with 
liberal firewall rules and normal iterative resolution via delegations 
from your internal root zone. You and your security folks may not see 
eye-to-eye on this, of course, so it's a subject of negotiation.

                                                                         
                           - Kevin

joeunc wrote:
> Well what we have is that it is a seperate company outside the
> firewall that is kind of "merged" in with existing company.
> Company A wants to resolve internal hosts on Company B. The forwarding
> was hoping to not have to open all the firewalls between the two for
> the delegation from root to happen via NS records.
> We are thinking of putting in a forwarder box and delegating at
> internal root to that forwarder and then running forward only caching
> on the forwarder over to the "other" company.
>
> thanks
> Joe
>
>
>
> On Aug 25, 11:34 pm, Mark Andrews <Mark_Andr... at isc.org> wrote:
>   
>>> Have an internal root server with zone db.root.
>>> Forwarding is not turned on as global option. Tried to add two forward
>>> zones with forward only into the root server and it would never
>>> forward. NXDOMAIN on localhost digs for that forward zone. If the zone
>>> is delegated in the the db.root file with NS  records it works
>>> obviusly, The internal root server is running BIND 9.2.2.
>>>       
>>> Are there limitations on a root server having forward only zones?
>>>       
>>> thanks
>>> Joe
>>>       
>>         The real question is why did you decide to use forward
>>         zones rather than using a normal delegation.
>>
>>         Forward zones are there for when you need to do something
>>         special.  They are not a replacement for doing normal
>>         delegations.
>>
>>         Mark
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andr... at isc.org
>>     
>
>
>
>
>

More information about the bind-users mailing list