DNS forward only
Clash Royale CLAN TAG#URR8PPP
Need clarification on the documentation on this topic somewhat and wanted to get more info on the following but just can't put my finger on it.
Below is a snippet from a DNS BIND 9.9 configuration. For the most part, reading on forwarding it's all clear except for one thing. This DNS is authoritative for a particular domain, say a.b.c where b.c are handled by 1.2.3.4 and 1.2.3.4.5. If I have the forwarder set as is below, based on reading, it should go out to the above two DNS for any resolution and cache locally however everything locally on this DNS is resolved as well for a.b.c since this NS is authoritative for this domain.
So if I'm reading right, why does this resolve entries locally on this NS if it's supposed to go out to resolve when 'forward only' is used? Is the fact that this NS is authoritative for a.b.c change behavior how forwarding works?
Assume DNS Host IP 1.1.1.1 where this file resides:
options
listen-on port 53 any; ;
.
.
.
.
allow-query any; ;
allow-transfer 1.1.1.11; 1.1.1.22; ;
notify yes;
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
forwarders
1.2.3.4; # External DNS
1.2.3.5; # External DNS
;
forward only;
.
.
.
.
;
.
.
.
<Forward and Reverse Zones etc>
.
.
.
.
.
.
dns bind
edited Feb 15 at 16:01
Torin
40529
asked Feb 15 at 13:31
DigitalTidBitsDigitalTidBits
163
add a comment |
Need clarification on the documentation on this topic somewhat and wanted to get more info on the following but just can't put my finger on it.
Below is a snippet from a DNS BIND 9.9 configuration. For the most part, reading on forwarding it's all clear except for one thing. This DNS is authoritative for a particular domain, say a.b.c where b.c are handled by 1.2.3.4 and 1.2.3.4.5. If I have the forwarder set as is below, based on reading, it should go out to the above two DNS for any resolution and cache locally however everything locally on this DNS is resolved as well for a.b.c since this NS is authoritative for this domain.
So if I'm reading right, why does this resolve entries locally on this NS if it's supposed to go out to resolve when 'forward only' is used? Is the fact that this NS is authoritative for a.b.c change behavior how forwarding works?
Assume DNS Host IP 1.1.1.1 where this file resides:
options
listen-on port 53 any; ;
.
.
.
.
allow-query any; ;
allow-transfer 1.1.1.11; 1.1.1.22; ;
notify yes;
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
forwarders
1.2.3.4; # External DNS
1.2.3.5; # External DNS
;
forward only;
.
.
.
.
;
.
.
.
<Forward and Reverse Zones etc>
.
.
.
.
.
.
dns bind
edited Feb 15 at 16:01
Torin
40529
asked Feb 15 at 13:31
DigitalTidBitsDigitalTidBits
163
add a comment |
Need clarification on the documentation on this topic somewhat and wanted to get more info on the following but just can't put my finger on it.
Below is a snippet from a DNS BIND 9.9 configuration. For the most part, reading on forwarding it's all clear except for one thing. This DNS is authoritative for a particular domain, say a.b.c where b.c are handled by 1.2.3.4 and 1.2.3.4.5. If I have the forwarder set as is below, based on reading, it should go out to the above two DNS for any resolution and cache locally however everything locally on this DNS is resolved as well for a.b.c since this NS is authoritative for this domain.
So if I'm reading right, why does this resolve entries locally on this NS if it's supposed to go out to resolve when 'forward only' is used? Is the fact that this NS is authoritative for a.b.c change behavior how forwarding works?
Assume DNS Host IP 1.1.1.1 where this file resides:
options
listen-on port 53 any; ;
.
.
.
.
allow-query any; ;
allow-transfer 1.1.1.11; 1.1.1.22; ;
notify yes;
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
forwarders
1.2.3.4; # External DNS
1.2.3.5; # External DNS
;
forward only;
.
.
.
.
;
.
.
.
<Forward and Reverse Zones etc>
.
.
.
.
.
.
dns bind
edited Feb 15 at 16:01
Torin
40529
asked Feb 15 at 13:31
DigitalTidBitsDigitalTidBits
163
Need clarification on the documentation on this topic somewhat and wanted to get more info on the following but just can't put my finger on it.
Below is a snippet from a DNS BIND 9.9 configuration. For the most part, reading on forwarding it's all clear except for one thing. This DNS is authoritative for a particular domain, say a.b.c where b.c are handled by 1.2.3.4 and 1.2.3.4.5. If I have the forwarder set as is below, based on reading, it should go out to the above two DNS for any resolution and cache locally however everything locally on this DNS is resolved as well for a.b.c since this NS is authoritative for this domain.
So if I'm reading right, why does this resolve entries locally on this NS if it's supposed to go out to resolve when 'forward only' is used? Is the fact that this NS is authoritative for a.b.c change behavior how forwarding works?
Assume DNS Host IP 1.1.1.1 where this file resides:
options
listen-on port 53 any; ;
.
.
.
.
allow-query any; ;
allow-transfer 1.1.1.11; 1.1.1.22; ;
notify yes;
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
forwarders
1.2.3.4; # External DNS
1.2.3.5; # External DNS
;
forward only;
.
.
.
.
;
.
.
.
<Forward and Reverse Zones etc>
.
.
.
.
.
.
dns bind
dns bind
edited Feb 15 at 16:01
Torin
40529
asked Feb 15 at 13:31
DigitalTidBitsDigitalTidBits
163
edited Feb 15 at 16:01
Torin
40529
asked Feb 15 at 13:31
DigitalTidBitsDigitalTidBits
163
edited Feb 15 at 16:01
Torin
40529
edited Feb 15 at 16:01
Torin
40529
edited Feb 15 at 16:01
Torin
40529
40529
asked Feb 15 at 13:31
DigitalTidBitsDigitalTidBits
163
asked Feb 15 at 13:31
DigitalTidBitsDigitalTidBits
163
asked Feb 15 at 13:31
DigitalTidBitsDigitalTidBits
163
163
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The forward only option might not be the most intuitive name for its function. Essentially, this option prevents the name server from even attempting to contact another remote name server if the defined forwarders are down or not responding. When forward only has been specified, the name server still answers from its authoritative and cached data, but it relies entirely on its defined forwarders without ever trying any other name servers. The option does not mean that the name server should refuse to provide answers for its authoritative zones.
Or, stated differently, if the option is not specified and a query is not for one of the server's authoritative zones and the query result is not already in cache, then the server first asks one of the forwarders. If the forwarders cannot be reached, then the server begins the name resolution process beginning at the root servers as usual.
answered Feb 15 at 14:10
ChristopherChristopher
10.7k33149
Thank you. I think that answered my question nicely. Appreciated!
– DigitalTidBits
Feb 16 at 17:20
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500871%2fdns-forward-only%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The forward only option might not be the most intuitive name for its function. Essentially, this option prevents the name server from even attempting to contact another remote name server if the defined forwarders are down or not responding. When forward only has been specified, the name server still answers from its authoritative and cached data, but it relies entirely on its defined forwarders without ever trying any other name servers. The option does not mean that the name server should refuse to provide answers for its authoritative zones.
Or, stated differently, if the option is not specified and a query is not for one of the server's authoritative zones and the query result is not already in cache, then the server first asks one of the forwarders. If the forwarders cannot be reached, then the server begins the name resolution process beginning at the root servers as usual.
answered Feb 15 at 14:10
ChristopherChristopher
10.7k33149
Thank you. I think that answered my question nicely. Appreciated!
– DigitalTidBits
Feb 16 at 17:20
add a comment |
The forward only option might not be the most intuitive name for its function. Essentially, this option prevents the name server from even attempting to contact another remote name server if the defined forwarders are down or not responding. When forward only has been specified, the name server still answers from its authoritative and cached data, but it relies entirely on its defined forwarders without ever trying any other name servers. The option does not mean that the name server should refuse to provide answers for its authoritative zones.
Or, stated differently, if the option is not specified and a query is not for one of the server's authoritative zones and the query result is not already in cache, then the server first asks one of the forwarders. If the forwarders cannot be reached, then the server begins the name resolution process beginning at the root servers as usual.
answered Feb 15 at 14:10
ChristopherChristopher
10.7k33149
Thank you. I think that answered my question nicely. Appreciated!
– DigitalTidBits
Feb 16 at 17:20
add a comment |
The forward only option might not be the most intuitive name for its function. Essentially, this option prevents the name server from even attempting to contact another remote name server if the defined forwarders are down or not responding. When forward only has been specified, the name server still answers from its authoritative and cached data, but it relies entirely on its defined forwarders without ever trying any other name servers. The option does not mean that the name server should refuse to provide answers for its authoritative zones.
Or, stated differently, if the option is not specified and a query is not for one of the server's authoritative zones and the query result is not already in cache, then the server first asks one of the forwarders. If the forwarders cannot be reached, then the server begins the name resolution process beginning at the root servers as usual.
answered Feb 15 at 14:10
ChristopherChristopher
10.7k33149
The forward only option might not be the most intuitive name for its function. Essentially, this option prevents the name server from even attempting to contact another remote name server if the defined forwarders are down or not responding. When forward only has been specified, the name server still answers from its authoritative and cached data, but it relies entirely on its defined forwarders without ever trying any other name servers. The option does not mean that the name server should refuse to provide answers for its authoritative zones.
Or, stated differently, if the option is not specified and a query is not for one of the server's authoritative zones and the query result is not already in cache, then the server first asks one of the forwarders. If the forwarders cannot be reached, then the server begins the name resolution process beginning at the root servers as usual.
answered Feb 15 at 14:10
ChristopherChristopher
10.7k33149
edited Feb 16 at 1:16
answered Feb 15 at 14:10
ChristopherChristopher
10.7k33149
answered Feb 15 at 14:10
ChristopherChristopher
10.7k33149
answered Feb 15 at 14:10
ChristopherChristopher
10.7k33149
10.7k33149
Thank you. I think that answered my question nicely. Appreciated!
– DigitalTidBits
Feb 16 at 17:20
add a comment |
Thank you. I think that answered my question nicely. Appreciated!
– DigitalTidBits
Feb 16 at 17:20
Thank you. I think that answered my question nicely. Appreciated!
– DigitalTidBits
Feb 16 at 17:20
Thank you. I think that answered my question nicely. Appreciated!
– DigitalTidBits
Feb 16 at 17:20
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500871%2fdns-forward-only%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
