How to configure forwarder on BIND 4

Mark Andrews Mark_Andrews at isc.org
Thu Jul 31 23:09:07 UTC 2008 

> There is no reason you can't make the BIND 4 box serve your authoritative
> domains, and forward anything it does not load/cache to a another DNS
> server.
> Had to grab the DNS an BIND 1st edition for this one but you should be able
> to do it with:
> forwarders 1.1.1.1 1.1.1.2 etc
> slave
> 
> Slave is what BIND 4 used as forward only.

	But if you are going to "forward only;" you can use TSIG
	with 9.4.2 and secure your communication paths.  You will
	stop being a open recursive server by default.   When BIND
	9.4.3 is finalised you can upgrade to it or to BIND 9.5.2.

	The -P1s (and the upcoming -P2s) are stopgap measures until
	the betas stabilise.  They work for most sites most of the
	time however for large sites there will be more hand tuning
	involved potentially retuning the kernel to return more
	descriptors.

	Named has gone from using a small number of descriptors to
	using potentially very large numbers which will exceed the
	system's ability to supply them.  The problem is to work
	out good strategies to deal with the problem.  We are working
	on how to deal with the issue without making the security
	picture worse or degrading performance though it may come
	down to making a choice.

	Mark
 
> On Thu, Jul 31, 2008 at 12:57 PM, Jaroslaw Rafa <raj at ap.krakow.pl> wrote:
> 
> > After three days of unsuccessful attempts to run BIND 9.5.0-P1 on a very
> > old
> > system, I gave up. Because this machine is about to be completely replaced
> > by a new one in several months, in the meantime I will use a forwarder.
> >
> > However, I have two questions:
> > 1) what should I do when my DNS server is not only a resolver for the
> > clients, but also a master server for several zones? Should I keep the
> > master zones on the server and forward anything else to the forwarder, or
> > move all the zones to the machine running forwarder and use a forward-only
> > configuration? I'd prefer the first solution if possible.
> > 2) anybody can help, how to configure this on BIND 4?
> > Regards,
> >   Jaroslaw Rafa
> >   raj at ap.krakow.pl
> > --
> > Zapraszam na moja nowa strone: http://www.ap.krakow.pl/~raj/<http://www.ap.krakow.pl
> /%7Eraj/>
> >
> >
> >
> 
> 
> -- 
> -Ben Croswell
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list