Need help with a STRANGE configuration

Kevin Darcy kcd at daimlerchrysler.com
Mon Jan 10 23:26:57 UTC 2000 

Barry Margolin wrote:

> In article <387A5615.B4780E86 at daimlerchrysler.com>,
> Kevin Darcy  <kcd at daimlerchrysler.com> wrote:
> >Barry Margolin wrote:
> >
> >> In article <slrn87k8fl.gan.lurker at angband.org>,
> >> Chris A. Henesy <lurker at NO.SPAM.cc.gatech.edu> wrote:
> >> >What I would like to do is set up BIND on my box so that it is a cacheing
> >> >nameserver that forwards requests for machines in mydomain.com,
> >> >subdomain.mydomain.com, moresubdomains.mydomain.com, etc., to our internal
> >> >DNS server, and requests for all other domains to the ISP's DNS server.
> >> >(My machine itself will store no zonefiles)
> >>
> >> options {
> >>   forwarders { <ISP's DNS server address>; };
> >>   forward only;
> >> };
> >>
> >> zone "mydomain.com" {
> >>   type forward;
> >>   forwarders { <internal DNS server address>; };
> >> };
> >>
> >> The "type forward" zone was introduced in BIND 8.2.
> >
> >Note that if the internal server doesn't allow recursive queries, zones of type
> >"forward" aren't going to work. In that case, you'll *have* to store some
> >internal-zone information on your box, but only for the top-level zone of each
> >internal domain. You can define these as either
>
> He said he wanted queries for all subdomains of their internal domain to be
> sent to that nameserver, not to other internal nameservers.  So either they
> don't have different servers for the subdomains, or it allows recursive
> queries.

You are correct. I didn't read the question carefully enough. I'm not sure why one
would want to restrict oneself to using only one server for all internal queries,
though, unless there were some insurmountable accessibility
(network/firewall/ACL) issues.

> I can't think of why someone would disable recursion on an
> internal-only nameserver, anyway.

Oh, I have restricted recursion on our main primary nameserver to only local
queries. It's a "pure" internal root server that should only be talking to other
nameservers anyway. Of course, being authoritative for, and caching, just about all
of the information that anyone around here cares about anyway, this machine is
still quite popular: the occasional network-management-station gets configured as
as slave to it whereupon my query count shoots through the roof until I bitch about
it. I wish the recursion option were fine-grained enough to specify rejection
versus referral.


- Kevin

More information about the bind-users mailing list