Firewall, split dns and the forwarders directive

Andr Pirard A.Pirard at ulg.ac.be
Mon Jul 19 23:49:08 UTC 1999 

Barry Margolin <barmar at bbnplanet.com> wrote:

>   From: "Palano, Joseph" <Joseph.Palano at Fmr.COM>
>   Date: Thu, 1 Jul 1999 14:57:04 -0400 
>
>   Barry,
>
>          What you have said would make sense logically but I don't think it
>   agrees with page 385-386 of the "DNS&BIND" v3.  Could you please expand or
>   give me a reference.  This issue has been a hot topic for me and the rest of
>   the DNS "crew".  Thanks.
>
>I don't see the contradiction.  In the book's example, zardoz is
>authoritative for movie.edu, but not authoritative for fx.movie.edu.  So it
>never forwards queries for names in the movie.edu zone, but it will forward
>queries for names in the fx.movie.edu zone.
>
>A zone is not an entire DNS hierarchy -- it's bounded by delegation NS
>records.

And if zardos forwards requests for names in fx.movie.edu zone to a
forwardee that's neither authoritative for fx.movie.edu nor for
movie.edu, the forwardee may well send the request back to zardos
because zardos is authoritative for movie.edu.
It's a mistake for a name server to make requests to servers that are
"further away from the answer" than they are.
It's not always possible to avoid such loops by configuration (to make
the forwarder or forwardee authoritative for all subzones).
BIND should not not forward requests for its subzones, at least at an
option.

Best regards,

Andr.

>> -----Original Message-----
>> From:        Barry Margolin [SMTP:barmar at bbnplanet.com]
>> Sent:        Friday, June 25, 1999 5:45 PM
>> To:  comp-protocols-dns-bind at moderators.uu.net
>> Subject:     Re: Firewall, split dns and the forwarders directive
>> 
>> In article <01JCTMLXT6RM000C41 at ACAD.DRAKE.EDU>,
>> George W. Miller <GM0551S at ACAD.DRAKE.EDU> wrote:
>> >There is a host, called charlie.drake.edu that sits out on the dmz.  My
>> question
>> >is this: will the interior server forward to the exterior server a
>> question 
>> >about charlie.drake.edu, even though it has the same domain name as the 
>> >interior network?  Thus far, the only way I can get resolution for
>> queries 
>> >concerning charlie is if I place an entry in the interior server host
>> file.
>> 
>> If a server is authoritative (master or slave) for a zone then it never
>> forwards queries for a name in that zone.
>> 
>> -- 
>> Barry Margolin, barmar at bbnplanet.com
>> GTE Internetworking, Powered by BBN, Burlington, MA
>> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to
>> newsgroups.
>> Please DON'T copy followups to me -- I'll assume it wasn't posted to the
>> group.


Andr PIRARD                         ULgNet Coordinator, Adm. & Support
SEGI - Universit de Lige           IP: 139.165.0.0 - ulg.ac.be
B26 - Sart Tilman                    www.ulg.ac.be
B-4000 Lige 1 (Belgium)
A.Pirard at ulg.ac.be                   +32-4-3664932  Fax: 2920

More information about the bind-users mailing list