Question About Internal Recursive Resolvers
JW λ John Woodworth
jw at pcthink.com
Fri Oct 14 17:07:19 UTC 2022
Hi Greg,Great points! I must have forgotten how messy this got :) ./John
-------- Original message --------From: Greg Choules <gregchoules+bindusers at googlemail.com>Hi John.Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get answers.But forwarding keeps the RD bit set, meaning that the server being forwarded to should a) have recursion enabled (though it will still answer if it is authoritative anyway) and b) is now obliged to try and find an answer, so if the people who run that server happen to configure forwarding somewhere else you can potentially end up with long, ugly chains of forwarding, even loops. None of stub, static-stub or mirror do this.Just my 2p.GregOn Fri, 14 Oct 2022 at 17:38, JW λ John Woodworth <jw at pcthink.com> wrote:Hi Bob,I've been able to do this with 'forward' zones. The config would go in the resolver but the files would not./John-------- Original message --------From: Bob McDonald <bmcdonaldjr at gmail.com>I'm thinking about redesigning an internal DNS environment. To beginwith, all internal DNS zones would reside on non-recursive serversonly. That said, all clients would connect to recursive resolvers.The question is this; do I use an internal root with pointers to theinternal zones (as well as the outside DNS world) or do I include stubzones to point at the non-recursive internal servers?Access to the internal DNS zones would be controlled by location.(e.g. guest WiFi devices would NOT have access to internal DNSzones...)Recursive resolvers would allow implementation of features such as RPZ, etc.Regards,Bob-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-users at lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221014/844afc32/attachment-0001.htm>
More information about the bind-users
mailing list