Forwarding under which conditions?

Barry Margolin barmar at
Tue Jun 13 11:08:48 UTC 2006

In article <e6lu48$ftq$1 at>,
 Arik Raffael Funke <arik.funke at> wrote:

> Barry Margolin wrote:
> >  Arik Raffael Funke <arik.funke at> wrote:
> >> Can anybody summarise briefly when to and when not to use forwarding? I
> >> thought I use local caching such as to speed up queries.
> > 
> > Use forwarding when there's something preventing you from contacting 
> > other servers on the Internet, like a firewall.
> > 
> > Whether you use forwarding or not, your server will still cache the 
> > results.
> My internal clients cannot reach the public dns servers directly due to 
> non-public ips.

The clients don't matter, what matters is whether your SERVER can reach 
public servers.

> If I simply forward dns queries with iptables to an 
> external dns, the external dns caches the info, but I still have to get 
> it to my local network every time a query is run. I thus have a delay - 
> especially if the remote machine is slow. I was looking to eliminate 
> this delay.

BIND forwarding is not like iptables forwarding.  It's not just passing 
the packets through, it's still a DNS server.  When you enable 
forwarders, you're just telling it "Instead of asking the authoritative 
servers yourself, ask these servers; either way, cache the results."

In general, asking the authoritative servers will be better, because the 
TTLs of the responses will be longer.  Suppose one your users looks up a 
record whose authoritative TTL is 60 minutes, and you forward to your 
ISP's server.  If it cached the record 59 minutes ago, the record you 
receive will have a 1-minute TTL, so you'll have to look it up again if 
one of your users asks again a minute later.  But if you go to the 
authoritative server directly, you'll get the full 60 minute TTL and 
won't have to query again for an hour.

Barry Margolin, barmar at
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list