Selective forwarding from an internal only name server

Darcy Kevin (FCA) kevin.darcy at
Thu Aug 18 14:57:14 UTC 2016

Well, the cost/benefits/risks of separating authoritative and recursive on different *servers* (as opposed to different NICs, views, or whatever) is actually a hotly-debated topic among experts. I know some non-DNS-expert opinions, from the InfoSec side of the house, consider hardware-level separation "ideal", but frankly, I don't think they understand the concepts of NIC- or view-level separation, and need to be edumacated. Personally, I prefer a larger number of multi-role boxes, with view separation. The larger number of boxes means more availability and resilience against, say, Denial of Service attacks, which can target recursive service *or* authoritative service *or* both.

By the way, the original poster never said that he was hosting any zones authoritatively to the Internet on NS1, so why would you assume that he is? He said only that it served "external clients", but those could be *recursive* clients, for all we know.

That having been said, I concur with your technical recommendations.

									- Kevin

-----Original Message-----
From: bind-users [mailto:bind-users-bounces at] On Behalf Of S Carr
Sent: Thursday, August 18, 2016 4:31 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server

On 18 August 2016 at 01:04, anup albal <anupalbal at> wrote:
> Does that mean I setup another forwarding zone called or 
> or both?

Ideally you should setup a completely separate caching/forwarding server and not be using the external DNS box (NS1) for this purpose.

On the box you are forwarding the queries to (NS1) you need to enable recursion and specify an ACL for recursion to limit it to only allowing recursion from the internal DNS1 box.

On the internal DNS box (DNS1) also make sure recursion is enabled and an ACL in place allowing your client subnets, and configure forward zones for and zones (and any other zones needed by the sharepoint service) to point at the NS1 box.
Please visit to unsubscribe from this list

bind-users mailing list
bind-users at

More information about the bind-users mailing list