2 Questions - forward zone and DNS firewalling

Cathy Almond cathya at isc.org
Fri Oct 26 13:54:20 UTC 2018


On 26/10/2018 08:08, N6Ghost wrote:
> maybe its just old habits, i think its a bad idea to build your
> infrastructure in a way the needs forward zones to work. not when you
> can build it with proper delegation. 
> 
> i just think when building namespaces proper delegation should be used
> and forward zones should be avoided if you can. 

There's also static-stub you might like to look at instead of
forwarding.  Details in the ARMs for current versions of BIND.

https://kb.isc.org/docs/aa-01031

It's intended for the situation where you want your resolver to query
authoritative servers that you know are a better choice than the ones
advertised in a zones NS RRset, perhaps because you have an
internal-only route to them, or something like that.


More information about the bind-users mailing list