Forward zone and load-balancer

Kevin Darcy kcd at
Fri Oct 25 18:12:57 UTC 2002

Alain Morency wrote:

> Alain Morency wrote:
> >I have load-balancers equipments that handles DNS queries for
> >certain host to load-balance between multiple servers for redundancy.
> >These load-balancers are in the intranet behind a firewall.
> >
> >Because i don't want all DNS servers on the internet to query my
> >load-balancers, i put a rule in my firewall to accept only DNS query
> >from my ISP's DNS (DNS1). DNS1 is authoritative for
> >Unfortunatly, i don't have any access on DNS1 configuration.
> >
> >I told them to add a forward zone like in following example.
> > and are the load-balancers' addresses.
> >
> >zone "" in
> >       {
> >            type forward;
> >            forwarders {;; };
> >            forward only;
> >       };
> >
> >   The problem is, i see no query coming from DNS1 on the firewall.
> >   I used the same configuration in my lab with Bind 8.2.4 as DNS1
> >   and it worked.
> >
> >   What is wrong ?
> What you've set up simply won't work.  Forward zones only apply to
> recursive queries, and your ISP's name servers will only receive non-
> recursive queries for data in
> You need to let arbitrary name servers on the Internet query your
> load balancers.
> cricket
> Men & Mice
> DNS Software, Training and Consulting
> The DNS and BIND Cookbook, available now!
> Hi again,
> First question  :
> Is there a way to have the same behavior I need,
> with or without forward zones, if I don't want to let arbitrary name
> servers on the Internet query my load balancers ?
> Second question :
> Right now, even if I set DNS1 as my name server (using nslookup in my
> resolver), I can't resolve , is it normal ?

If the resolver (nslookup in this case) requests recursion, and the server
(DNS1 in this case) honors recursion, and the firewalls lets the queries
in and the responses back, then it should work.

My guess is that your ISP disables recursion. Do *any* of the responses
from DNS1 have the RA (Recursion Available) bit set? You might need to use
the "debug" mode of nslookup, or a real lookup tool like dig, to see the
setting of that header bit.

- Kevin

More information about the bind-users mailing list