Knowledge Base ISC Main Website Ask a Question/Contact ISC
How can I disable global forwarding for delegated subdomains?
Author: ISC Support Reference Number: AA-00538 Views: 10351 Created: 2011-11-14 13:15 Last Updated: 2017-06-21 16:57 0 Rating/ Voters

When a nameserver receives a recursive query, it will first look to see if it has the answer in cache or is authoritative for the domain in which the answer for the name being queried should reside.  Otherwise it will need to iterate - this means that it will itself need to send one or more non-recursive queries to other nameservers in order to obtain the answers.

When you have global forwarding configured, this is telling named that for any queries received, that it should not attempt any iterative resolution itself, but instead should forward (to the specified list of servers) any queries where:

  • it doesn't already have the answers cached
  • it's not authoritative for the zones in which the records being queried for should reside.
For example:
options {
...
forwarders {1.1.1.1 ; 2.2.2.2};
forward only;
...
}

Note the use of forward only.  There is another option (forward first) that allows named to try the forwarders first, but if they don't respond or don't respond quickly enough, then iterative resolution will be attempted as the next step.

You can also disable forwarding on a per-zone basis by declaring the zone as type forward but with a null forwarders list in named.conf:

zone "not-forwarded-example.net" {
       type forward;
       forwarders {};
};

The example above is saying 'forward first to this list of forwarders that overrides the global setting - but since the list is null, attempt to resolve queries for this zone using iteration immediately'.

But what happens if you are authoritative for a domain, but have delegated a subdomain to another server?  If your nameserver receives a query for a name in the delegated domain, what should it do?

This may at first glance be unintuitive to some, but unless you have configured it not to, the global forwarders directive will apply.  This is because in order to resolve the names that are in the delegated zone, the recursive server has to send queries to the servers that have had the zone delegated to them.  This is iteration - and this is why the global forwarders directive becomes applicable.

But it is possible to disable forwarding for delegated zones too - again by adding a null forwarders option to the master or slave zone option:

zone "with-delegation-example.net" {
       type master;
       file "zone.with-delegation-example";
       forwarders {};
};


Global forward (only | first) is not inherited when using forwarders both globally and in a zone statement

Note that in both examples above, although the zone is type forward, it doesn't inherit the 'forward only|first' global setting (if there is one).  The default is forward first.  This means that by declaring a null forwarders list, all queries for names in and below zone not-forwarded-example.net and in delegated subdomains of with-delegation-example.net will be resolved iteratively (assuming that recursion is allowed). In the case of with-delegation-example.net, named will start iterating from the delegation NS records in the zone that it has loaded.



© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Quick Jump Menu