intelligent selection of forwarders?

James Ralston qralston+ml.bind-workers at andrew.cmu.edu
Mon Aug 19 22:05:16 UTC 2002


On Thu, 15 Aug 2002, Jim Reid wrote:

> >>>>> "James" == James Ralston <qralston+ml.bind-workers at andrew.cmu.edu> writes:
> 
>     James> Honestly, we don't care a whole lot about the
>     James> load-balancing aspect of this feature (i.e., BIND finding
>     James> the best forwarder to use).  What we *do* care about is
>     James> having rapid failover from a failed forwarding server.
> 
> Er, I might be asking the obvious question but why would you *ever*
> configure a name server to forward queries to an unreliable target?
> Wouldn't it be a lot simpler to just get rid of forwarding
> altogether and have your name server find out the good and bad name
> servers for itself by following NS records?

I want to be able to conduct periodic maintenance (e.g., rebooting one
of the forwarders) with minimal disruption (e.g., without having our
internal nameservers blindly querying the forwarder while it's
rebooting).

Also, if a site's name servers aren't all running BIND9, then using
BIND9 forwarding servers can help mitigate attacks against buffer
overflows in DNS resolver libraries:

    http://www.cert.org/advisories/CA-2002-19.html

(Generically and generally speaking, forcing one's DNS traffic to all
flow through bastion forwarding hosts is a good security practice.)

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA



More information about the bind-workers mailing list