NS record for zone with forward

Kevin Darcy kcd at daimlerchrysler.com
Wed Feb 28 21:36:10 UTC 2001


Chris J. Herbst wrote:

> So what's the point of a forward then, to avoid going to to the root servers
> for some domains?

Forwarding forces the nameserver to use certain nameservers for certain
domains, or, if configured "globally", i.e. in the "options" statement, to use
certain nameservers for all names not otherwise explicitly known (by virtue of
the server being master, slave or stub for the corresponding zone). Forwarding
is sometimes done, in its "forward first" form, for performance reasons,
because in some network topologies querying the forwarders might be
consistently faster than querying the authoritative servers themselves. Another
reason for forwarding  -- in "forward only" mode -- is to get around
connectivity issues. The most common case is where clients behind a firewall
need to resolve Internet names. Since they can't contact Internet nameservers
directly, they have to be forced to use some box -- for instance, your
"two-headed" firewall -- which can resolve Internet names directly as well as
communicate with internal clients. It's even possible to create multiple levels
of forwarding, but this is not recommended.

> And why is forwarders{} valid if type master?

When you have global forwarding enabled, "forwarders {}" in a master, slave or
stub zone definition disables that forwarding for all subzones of that
particular zone. Without this facility, you'd have to list every subzone (a set
which might constantly change) as master, slave or stub, which could make for a
very large and hard-to-maintain named.conf file.

Note that only later versions of BIND (8.2 and above, I think) support
per-domain forwarding and the "forwarders { }" syntax. This explains why these
techniques aren't mentioned in "da book" (_DNS_and_BIND_ from O'Reilly), 3rd
Edition, which only covers through BIND 8.1.2. I assume they're covered in 4th
Edition...


- Kevin

> Kevin Darcy wrote:
>
> > If a nameserver is master for a DNS zone, then it considers itself
> > knowledgeable about *everything* in that zone. It will always answer
> > queries in the zone *definitively* from its own authoritative data, and
> > not use the forwarding mechanism or NS records to go ask some other
> > server. If a nameserver is queried for a name in one of its master zones
> > and there is no entry for that name in the zone file, then it responds
> > with NXDOMAIN (authoritative "domain name does not exist"). There is no
> > "fallback" option where it will go and ask some other nameserver.





More information about the bind-users mailing list