Subject: Re: stupid named question
To: Jukka Marin <>
From: Greg A. Woods <>
List: netbsd-users
Date: 06/07/2001 18:09:50
[ On Thursday, June 7, 2001 at 17:34:50 (+0300), Jukka Marin wrote: ]
> Subject: stupid named question
> Some machine only have the public IP address.  Is it possible to tell
> the local server 'X' to forward queries to 'Y' if the local database
> doesn't contain the name in the query?

Yes, this is possible and works well (from the doc/html/zone.html file
describing things that go in the "options" part of the configuration):

   The forwarding facility can be used to create a large site-wide cache on a   
   few servers, reducing traffic over links to external nameservers. It can     
   also be used to allow queries by servers that do not have direct access to   
   the Internet, but wish to look up exterior names anyway. Forwarding occurs   
   only on those queries for which the server is not authoritative and does     
   not have the answer in its cache.                                            
           This option is only meaningful if the forwarders list is not         
           empty. A value of first, the default, causes the server to query     
           the forwarders first, and if that doesn't answer the question the    
           server will then look for the answer itself. If only is specified,   
           the server will only query the forwarders.                           
           Specifies the IP addresses to be used for forwarding. The default    
           is the empty list (no forwarding).                                   

   Forwarding can also be configured on a per-zone basis, allowing for the      
   global forwarding options to be overridden in a variety of ways. You can     
   set particular zones to use different forwarders, or have different          
   forward only/first behavior, or to not forward at all. See the zone          
   statement for more information.                                              

So, for example, on your gateway machine (i.e. the one(s) which NATs
from the inside to the outside) you will run a nameserver that listens
only on the inside address and with a config that includes (in the options):

	# use *.53 for recursive queries so as to avoid any possible
	# problems with firewalls, i.e. to ensure that all DNS packets
	# are on port 53, including the replies...
	# NOTE: this cannot be used on any machine that's also running a
	# public external nameserver (because that one would get all our
	# replies from the outside world!)
	query-source address port 53;

You don't need a forwarder for the gateway host as it can talk to the
outside world -- it is the "forwarder" and it just uses the "." zone
hints file and goes out to the root servers itself.

On every other _internal_ nameserver you would use this config:

options {

	# If this is an internal caching nameserver that can't
	# directly talk to the outside world, or is supplemental to
	# the main internal caching nameserver, then you need to
	# forward local queries as appropriate:
	forward only;
        forwarders {;
	/* blah, blah, blah (more options, etc.) */

You don't need to run any other internal nameservers though if all your
internal clients can reach the gateway adequately (as they no doubt can
do if they're making connections through it to the outside world).

>  By default, a master server of a
> domain does not query any other servers (which is natural), but now we
> would like to change that behaviour.  Is this possible?
> (We could duplicate the information necessary in both databases, but
> this would most likely cause problems with keeping both copies of the
> files in sync..)

I think this is the root of your question.

While you can configure an authoritative server to also be a caching
server (i.e. act as a forwarder), you do not want to do this.  In fact
this is the default configuration as I'll show below:

You will still have to maintain a separate authoritative zone file for
the external public view of your DNS (unless you upgrade to BIND-9 and
use the new split-horizon feature), and serve it from an externally
visible nameserver (that can run on your gateway).  I.e. you don't want
to give internal A records in the publicly visible zone.

Of course your external zone should be delegated to several nameservers
and your own auth-only server need not be one of those -- it can be a
"blind primary" that the other, registered, servers secondary from.

Note that on your external master-only server you should always use
these options:

        # make this server an authorititative nameserver ONLY.
        recursion no;

        # this is used in conjunction with "recursion no" to prevent the
        # server's cache from growing or becoming corrupted (at the cost
        # of requiring more work from the client).
        fetch-glue no;

	# use *.53 for recursive queries so as to avoid any possible
	# problems with firewalls, i.e. to ensure that all DNS packets
	# are on port 53, including the replies...
	query-source address port 53;

        # this is the external server only!
	# Do NOT listen on if a caching nameserver also lives
        # here and listens on an internal IP!
        listen-on {
                N.N.N.N;	/* N.N.N.N is your primary NS IP addr
				 * even if it's a "blind primary",
				 * which of course should be on this host

							Greg A. Woods

+1 416 218-0098      VE3TCP      <>     <>
Planix, Inc. <>;   Secrets of the Weird <>