forwarders question

Doug Barton dougb at dougbarton.us
Mon Aug 10 20:25:12 UTC 2009


Michael Monnerie wrote:
> We are having 2 sites at different locations now with a DNS resolver on 
> each site. Internet speed between those two different ISPs is very fast, 
> and the hosts to resolve will be about the same because of similar 
> services.
> 
> My idea is to use 
> forward X; 
> on site Y and 
> forward Y;
> on site X, but, as I couldn't find it in the documents, I believe this 
> could lead to a resolver loop between X and Y and therefore even slower 
> resolution. Or is BIND clever enough to only ask the other server once?

If you're getting a response for a name that neither server is
authoritative for, you have your answer. tcpdump could give you more
information if you want to pursue it further.

> There are 2 reasons for this:
> 1) performance. Having the caches hot on both sides and with a high 
> chance one caches knows entries the other can use, it should be quick.

Unless you are turning off your name servers when everyone goes home
at night I would like to suggest that you're not really gaining
anything by doing this. There are two possible scenarios:

1. Usage patterns are different at your 2 sites.
	In that case you gain nothing by doing what you're doing.
2. Usage patterns are similar at your 2 sites.
	In that case IF the link between your 2 sites is dramatically
	faster than the link between your name servers and the outside
	world then you will gain a small amount of performance after
	the name servers are first booted. After a few hours of normal
	use (in other words, the cache is built up on both sides) it
	is likely that you are not gaining anything.

In the even that the link between sites suffers some sort of
performance problem you are definitely going to be pessimizing your
DNS with this configuration.

In short, there are a lot of scenarios when you are going to be doing
worse, and a very few scenarios when you are doing better, and then
only for a short period of time. I would therefore suggest that the
configuration you are suggesting is a lot of added complexity for no
measurable benefit.

> 2) reliability. Asking only internal servers which I can control is more 
> secure than using any ISPs DNS. They start to do the DNS mangling here 
> in Austria also (instead NXDOMAIN they deliver their web sites A record 
> to point to their search engine).

While I agree that local resolvers are a good idea, this has nothing
to do with your forwarder configuration.


hope this helps,

Doug



More information about the bind-users mailing list