non-recurce queries on 8.2.2 pl 5

Kevin Darcy kcd at daimlerchrysler.com
Tue Nov 23 20:25:25 UTC 1999 

Peter.Pedersen at sas.dk wrote:

> Hi,
>
> The idea was to have a static configuration on the firewall using the new
> feature "forward zone" in order to simplify maintenance, since the peoble in
> the DNS group do  not have access to the firewall.
>
> The configuration on the firewall point to an number of different DNS
> servers (maintained by partners) on an extra-net and on the intranet and we
> do not want to make zone-transfers from internal or external DNS servers.
> This configuartion minimize the maintenance on the firewall and the need for
> bandwith (no zone transfer).
>
> It is not yet in production, but everything seems to be fine except when the
> DNS server recive a non-recurce query and it does not have the information
> in cache.
>
> Unfortunately this happen quite often, since the other partners access to
> our DNS (on the extranet firewall) goes through their own DNS servers (using
> forward-zone or internal root configuration). A DNS server makes non-recurce
> queries in order to resolve names.
>
> I have not found any way to force a DNS server to make recurce queries??
>
> Any ideas???
>
> Here is a small part of the named.conf
>
> zone "sas.star-alliance.net" in {
>         type forward;
>         forward only;
>         forwarders { 159.195.66.66; 159.195.77.77; };
>         check-names warn;
> };
>
> zone "12.60.57.in-addr.arpa" in {
>         type forward;
>         forward only;
>         forwarders { 159.195.66.66; 159.195.77.77; };
>         check-names warn;
> };
>
> zone "ual.star-alliance.net" in {
>         type forward;
>         forward only;
>         forwarders { 57.60.16.9; };
>         check-names warn;
> };
>
> Thanks for the help.
>
> Peter Pedersen
>
> E-mail:                 peter.pedersen at sas.dk
> Phone:          +45 32 32 6138
> Fax:            +45 32 32 6731
> SAS-mail:       CPHXA/PED
>
> Scandinavian Airlines Data Denmark A/S
> Afd. CPHXA
> Engvej 165, Postbox 1819
> DK-2300  København S

If your partners are *forwarding* queries to your firewall using "type
forward", then those queries should be recursive and you shouldn't have any
problems with them.

If they are using the firewall iteratively as an authoritative server, then you
don't have much choice but to make it a slave. Depending on how often the
domain changes, how big it is, and whether IXFR is available, being a slave can
often use *less* bandwidth than constantly forwarding queries.


- Kevin

More information about the bind-users mailing list