Slaves or Forwarders?

Darcy Kevin (FCA) kevin.darcy at
Tue Aug 23 21:29:31 UTC 2016

>From an InfoSec standpoint, of course one would prefer to use cryptographic methods of securing DNS data, but, in the absence of that, slaving could, arguably, be considered more secure than forwarding, in the sense that forwarding usually generates more network transactions, over time, for any given resolution of any given name, and thus more chances for a bad guy to successfully spoof a response and have that forged answer be cached.

One could also eke out a small measure of extra security (again, if cryptographic methods are for some reason unavailable) by turning off IXFR and thus causing all zone transfers to occur with AXFR, which is TCP-based and thus presumably harder to spoof. But, that's a heavy price to pay for a small increment of extra security. Better to go for crypto, at that point, either within the DNS protocol itself (e.g. TSIG, DNSSEC), by implementing (as many have) an out-of-band method of replicating zone data (e.g. rsync-over-ssh, Infoblox-style "grid replication" over OpenVPN tunnels) or by securing *all* communication between nameserver instances (e.g. IPSEC tunnels).

											- Kevin

-----Original Message-----
From: bind-users [mailto:bind-users-bounces at] On Behalf Of Tony Finch
Sent: Tuesday, August 23, 2016 11:00 AM
To: Baird, Josh
Cc: bind-users at
Subject: Re: Slaves or Forwarders?

Baird, Josh <jbaird at> wrote:
> In the past, when I have had a requirement to bring a slave zone into 
> our environment; I created a slave zone on my master(s) (defining the 
> external nameserver as a master) and then created slave zones on my 
> slaves using *my* master as a master (not the master outside of my 
> environment).

> Is this method of 'sub-slaves' considered an acceptable practice?

Yes. (The new EDNS EXPIRE feature makes it a bit safer too.)

> Some folks also like to use forwarders if they don't have the 
> capability to slave the zone.  In this scenario, I would have to create a 'forward'
> zone on each of my caching servers that forwards requests for ''
> to the up-stream nameserver authoritative for the zone.

Be careful doing that. The target forwarders have to be recursive servers.

This matters if there is a delegated subdomain; if you are forwarding to an authoritative-only server which returns a referral, BIND will be upset that it did not get the final answer it expected.

> I would think that slaving the zone would be the preferred method, 
> since my master/slaves could still serve the zone if the 
> up-stream/forwarder becomes unreachable (until my slave expires).

Yes, slaving can be more robust. But forwarding can be simpler.

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Trafalgar: Easterly 6 to gale 8 in east, otherwise northerly or northeasterly
4 or 5, increasing 6 at times. Slight or moderate, occasionally rough in east.
Showers. Good.
Please visit to unsubscribe from this list

bind-users mailing list
bind-users at

More information about the bind-users mailing list