Question About Internal Recursive Resolvers
Greg Choules
gregchoules+bindusers at googlemail.com
Fri Oct 14 16:50:37 UTC 2022
Hi John.
Yes, you *could* forward and that was a setup I inherited a good few years
ago. The appeal is obvious: it's easy to do; just chuck queries over there
and get answers.
But forwarding keeps the RD bit set, meaning that the server being
forwarded to should a) have recursion enabled (though it will still answer
if it is authoritative anyway) and b) is now obliged to try and find an
answer, so if the people who run that server happen to configure forwarding
somewhere else you can potentially end up with long, ugly chains of
forwarding, even loops. None of stub, static-stub or mirror do this.
Just my 2p.
Greg
On Fri, 14 Oct 2022 at 17:38, JW λ John Woodworth <jw at pcthink.com> wrote:
> Hi Bob,
>
> I've been able to do this with 'forward' zones. The config would go in
> the resolver but the files would not.
>
>
> /John
>
> -------- Original message --------
> From: Bob McDonald <bmcdonaldjr at gmail.com>
>
> I'm thinking about redesigning an internal DNS environment. To begin
> with, all internal DNS zones would reside on non-recursive servers
> only. That said, all clients would connect to recursive resolvers.
>
> The question is this; do I use an internal root with pointers to the
> internal zones (as well as the outside DNS world) or do I include stub
> zones to point at the non-recursive internal servers?
>
> Access to the internal DNS zones would be controlled by location.
> (e.g. guest WiFi devices would NOT have access to internal DNS
> zones...)
>
> Recursive resolvers would allow implementation of features such as RPZ,
> etc.
>
> Regards,
>
> Bob
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221014/8cc61504/attachment.htm>
More information about the bind-users
mailing list