bind9 forward zones

Barry Margolin barmar at alum.mit.edu
Mon Apr 11 03:21:02 UTC 2005 

In article <d3ckqf$1680$1 at sf1.isc.org>,
 Tom Allison <tallison at tacocat.net> wrote:

> Hello,
> 
> I'm trying to do two things with forwarders.
> 
> The first is to forward requests to my ISP DNS servers to avoid hitting 
> the root servers where I can.  Originally I am pretty sure that my 
> options{ forwarders...} was working correctly, but I can't validate that 
> using dig.

Why do you want to add an extra lookup hop, and a potential point of 
failure?  You'll probably get better performance by going to the root 
servers directly.

> 
> The second is to forward a specific zone to another subnet (VPN) for 
> domain resolution.  This second subnet has it's own domain servers and I 
> would like to utilize them for that subnet for simplicity.
> 
> using things like dig +trace, it appears that I am using neither one of 
> my forwarders.
> 
> So, two questions:
> What is the correct method of using dig to validate that my forwarders 
> are working correctly -- what should I see and what should I not see?

I don't think you can see it using dig.  Dig only shows what's going on 
between the client and server, it doesn't have any way of showing what 
the server does.  If you want to verify your forwarders are working, use 
tcpdump or Ethereal to capture the DNS packets and see where they're 
going.

> 
> Is the following format actually correct?  It doesn't act like it.
> 
> Currently I have the following in my named.conf:
> 
> options {
>   notify no;
>          forwarders      {
>                          24.169.224.226;
>                          24.169.224.230;
>                          };
>          forward first;
> 
>          auth-nxdomain no;    # conform to RFC1035
> 
>          allow-query     {
>                          192.168.3/24;
>                          192.168.30/24;
>                          127.0.0/24;
>                          };
> 
>          allow-transfer { none; };
>          recursion yes;
> };
> 
> 
> zone "vpndomain.com" {
>          type forward;
>          //forward first;
>          forwarders { 192.168.30.2; };
>          //allow-query { 192.168.3.0/24; };
>          };
> 
> zone "30.168.192.in-addr.arpa" {
>          type forward;
>          //forward first;
>          forwarders { 192.168.30.2; };
>          //allow-query { 192.168.3.0/24; };
>          };

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

More information about the bind-users mailing list