Firewall, split dns and the forwarders directive

André Pirard A.Pirard at ulg.ac.be
Fri Jul 23 10:48:54 UTC 1999


Ted_Rule at flextech.co.uk wrote:

>[much very recommended reading of a very precise explanation deleted]
>
>The forwarders setting for a zone determines which set of forwarders are chosen
>to look via should
>the query fail on "this" server. Hence the split DNS setup for which Cricket has
>shown this section
>
>zone "movie.edu" {
>    type master;
>    file "db.movie.edu";
>    forwarders {};
>};
>
>actually hinges on the interaction of two forwarders settings - one in the
>global options settings, and the
>one shown above for the "top-level-internal" zone.
>
>When a query is made to the server for a name which is not currently in the
>cache, or which is not in a
>pre-loaded zone ( either from a file or a slave-zone-transfer ) , the server
>searches all the zones listed
>in the configuration for the nearest match to the name, and chooses the
>forwarders list from that zone.
>If no match is found, it uses the forwarders list from the global options.
>
>[ditto]

Exactly the answer to my long dated question/problem, many thanks.
This "forwarders" option should definitely be highlighted as the
non-default option to prevent "forward" break DNS descending behavior.
I suppose "forwarders" behaves alike for all "type"s.
Is that a change of behavior to "type forward" for which I seem to
read that "forwarders" does not apply to subzones?

>And why would you want to bother? Well, I believe its really down to the
>possibilities for delegating
>responsiblity for the maintenance of internal subzones to different departments
>in a large multi-domain
>enterprise, AND providing resilience against the loss of firewall DNS services.

In at least one case, it's *impossible* to make other servers
authoritative for a zone than the server which is periodically
updating definitions with a small TTL.

Best regards, and many thanks again,

André.




More information about the bind-users mailing list