Forwarding under which conditions?

Barry Margolin barmar at alum.mit.edu
Tue Jun 13 11:08:48 UTC 2006 

In article <e6lu48$ftq$1 at sf1.isc.org>,
 Arik Raffael Funke <arik.funke at gmx.de> wrote:

> Barry Margolin wrote:
> >  Arik Raffael Funke <arik.funke at gmx.de> wrote:
> >> Can anybody summarise briefly when to and when not to use forwarding? I
> >> thought I use local caching such as to speed up queries.
> > 
> > Use forwarding when there's something preventing you from contacting 
> > other servers on the Internet, like a firewall.
> > 
> > Whether you use forwarding or not, your server will still cache the 
> > results.
> 
> My internal clients cannot reach the public dns servers directly due to 
> non-public ips.

The clients don't matter, what matters is whether your SERVER can reach 
public servers.

> If I simply forward dns queries with iptables to an 
> external dns, the external dns caches the info, but I still have to get 
> it to my local network every time a query is run. I thus have a delay - 
> especially if the remote machine is slow. I was looking to eliminate 
> this delay.

BIND forwarding is not like iptables forwarding.  It's not just passing 
the packets through, it's still a DNS server.  When you enable 
forwarders, you're just telling it "Instead of asking the authoritative 
servers yourself, ask these servers; either way, cache the results."

In general, asking the authoritative servers will be better, because the 
TTLs of the responses will be longer.  Suppose one your users looks up a 
record whose authoritative TTL is 60 minutes, and you forward to your 
ISP's server.  If it cached the record 59 minutes ago, the record you 
receive will have a 1-minute TTL, so you'll have to look it up again if 
one of your users asks again a minute later.  But if you go to the 
authoritative server directly, you'll get the full 60 minute TTL and 
won't have to query again for an hour.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list