Forwarding environment questions

Chris Buxton cbuxton at menandmice.com
Mon Nov 26 18:21:32 UTC 2007


No, he's saying it's better to not have clients send recursive queries  
to your authoritative name servers in the first place. Instead,  
ideally, it should have recursion turned off entirely, at which point  
a forwarding configuration is essentially pointless.

There are two server jobs in DNS, authoritative and resolving. An  
authoritative name server (at least one that is listed in the NS  
records of your zones), ideally, should not also be serving as a  
resolving name server. You are instead suggesting that your servers  
have to do both jobs, and Mark is arguing that this is not ideal.

Is there a reason you cannot separate the two jobs onto separate boxes?

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone:   +354 412 1500
Email:   cbuxton at menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and  
privileged information only intended for the person or entity to which  
it is addressed. If the reader of this message is not the intended  
recipient, you are hereby notified that any retention, dissemination,  
distribution or copy of this e-mail is strictly prohibited. If you  
have received this e-mail in error, please notify us immediately by  
reply e-mail and immediately delete this message and all its attachment.



On Nov 26, 2007, at 7:50 AM, Baird, Josh wrote:

> Mark,
>
> In order to serve existing clients, our internal authoritative servers
> need to be able to answer recursive queries as well.  Are you saying
> that I should have all of my authoritative slave servers be caching
> servers as well and answer recursive queries directly?  I was under  
> the
> impression that it was a better practice to have these authoritative
> servers forward to caching only servers for recursive queries?
>
> Mark -- sorry for the duplicate copy.
>
> Thanks,
>
> Josh
>
> -----Original Message-----
> From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org]
> Sent: Sunday, November 25, 2007 11:57 PM
> To: Baird, Josh
> Cc: bind-users at isc.org
> Subject: Re: Forwarding environment questions
>
>
>> I am currently in the process of re-structuring a fairy large BIND
> environment
>> and have a few questions regarding forwarding.  Here is a simple
> overview of the
>> enviornment that I have in mind for Internal DNS:
>>
>> * Internal Master (authoritative, uses forwarders to caching only
> servers for non-authoritative queries)
>> `- Slave 1 (authoritative, uses forwarders to caching only servers
> for non-authoritative queries)
>>  - Slave 2 (authoritative, uses forwarders to caching only servers
> for non-authoritative queries)
>>  - Slave 3 (authoritative, uses forwarders to caching only servers
> for non-authoritative queries)
>>  - Slave 4 (authoritative, uses forwarders to caching only servers
> for non-authoritative queries)
>> * Caching only nameserver 1 (no authoritative data, all other  
>> internal
> BIND servers forward to these for recursive queries)
>> * Caching only nameserver 2
>>
>> I am trying to follow best practices in that authoritative servers
> (masters and slaves) should
>> not allow recursive lookups, but should use forwarders if necessary.
> Due to the nature of the
>
> 	There is no "but should use forwarders if necessary".
>
>> existing environment, all clients are pointing to either the internal
> master or slave servers for
>> all name resolution (internal resolution, and recursive resolution).
> In order to keep these
>> authoritative servers from doing recursive lookups, my plan is to  
>> have
> them all use a forwarders statement
>> in the global options to forward all recursive lookups to the two
> "Caching only nameservers" that
>> we have in our environment.  Is using forwarders in this way
> considered to be a good practice versus
>> these authoritative servers going out to the Internet directly for
> resucrsive lookups using root hints?
>>
>> I am also a bit confused about the forwarders statements on the slave
> servers.  It is my understanding
>> that they will only use the forwarders (that are defined in options)
> if the nameserver does not
>> contain authoritative data for the zone.. this is the case for slave
> zones as well?  Or do I need
>> to specify "forwarders { };" for each of the zones on the slaves to
> force it to use the local authoritative
>> data?
>>
>> I greatly appreciate any input or suggestions that you have.
>>
>> Thanks,
>>
>> Josh Baird
>
> 	You have totally missed the point of seperating recursive
> 	and authoritative services.
>
> 	Firstly, do not use forwarders unless you know what you are
> 	doing.  Forwarders are there for very specific configuration
> 	issues.  Forwarders are one of the most abused configuration
> 	options is named.conf.
>
> 	For authoritative servers you really only need.
>
> 		options {
> 			recursion no;
> 			allow-query-cache { none; };
> 		};
>
> 		<zone definitions>
>
> 	That will isolate the clients from anything the server
> 	learns as it does its notify processing.  Note, authoritative
> 	servers (masters and slaves) will still ask question so
> 	they still need a hint zone.
>
> 	Caches can be slaves of zones but they should not be listed
> 	in the NS RRset for the zones.  It is actually common for
> 	caches to be slave of internal zones as a override mechanism.
>
> 	Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>
>



More information about the bind-users mailing list