DNS forwarding query from DNS newbie !

Kevin Darcy kcd at daimlerchrysler.com
Mon Feb 17 22:49:23 UTC 2003


Magic Bob wrote:

>Hola from Barcelona,
>
>I'm pretty new to the DNS scene and am after a little bit of advice on
>an issue I have (using Solaris 8, BIND version 8.2.2-P5)
>
>I have a DNS primary (HOST1) with connections both to the external
>internet and an internal intranet.  Everything is working fine both
>for internal and external name queries when all zones are served from
>this nameserver.
>
>However I am trying to configure one particular external zone so that
>the zone database is held on another internal host (HOST2 - There is
>no external connection on this host).  The theory is that an external
>query for this zone will come to HOST1, which in turn will query HOST2
>for the name resolution.
>
>To do this I have setup a 'type forward' on HOST1 for this domain,
>syntax is below:
>
>zone "bluefish.com" in {
>        type forward; forward only;
>        forwarders { 192.168.20.20; };
>};
>
>This seemed to be working fine, name resolutions appeared to be
>successful until I came across a slight problem.  The external
>resolution only works when the information is cached on HOST1.  Once
>the entry has expired (TTL has been reached), external name resolution
>fails.  The only way to get it working again is to run a nslookup for
>the domain directly on HOST1 (recaching the information), then
>external resolution works again until the next expiration.
>
>The TTL is currently set at 100 (Low for testing purposes).  
>
>Can anybody advise me how I can set this up so that an external query
>is resolved through HOST1 querying HOST2 when there is no name
>information in HOST1 cache ?  Should I be using a different 'type'
>from forward ? Or is the only way to get around this problem to set up
>HOST1 as a secondary to HOST2 for this domain.
>
>Any help on this much appreciated !
>
Queries between nameservers are typically "non-recursive", which means 
that the receiving server will not generate any queries to fetch the 
data. That explains why the data is only provided if it is already in 
the nameserver's cache.

You should make the externally-visible server a slave of the zone ("type 
slave").

By the way, BIND 8.2.2-p5 is very old and full of security bugs. Upgrade 
immediately.

                                                                        
                                                - Kevin






More information about the bind-users mailing list