2

What is the purpose of setting a forwarders option in a master zone?

In named.conf, it looks like this:

zone "master.zone"
{
    type master;
    file "zones/master/zone/master.zone";
    key-directory "zones/master/zone/keys";
    allow-update {
        admin;
    };
    forward only;
    forwarders {
        8.8.8.8;
    };
};

I understand the importance of forwarders and forward options in a forward zone, but I don't get the utility to set them in a master zone.

Thanks.

nouney
  • 121
  • 5

4 Answers4

2

The scenario where this actually makes a difference is when you receive a recursion request for something that is under this zone but not part of this zone.

Specifically:

  • You run a mixed authoritative + recursive nameserver
  • You have an authoritative zone (master or slave), eg example.com
  • You have some subdomain in that zone delegated elsewhere, eg foo.example.com. IN NS ns.other.example.
  • You receive a recursion request for foo.example.com or something below it (a name that is not part of your zone as foo.example.com was delegated elsewhere)

Under these circumstances, the forwarders { ... }; value on the authoritative zone is the most specific place you can use to define which (if any) forwarders should be used to resolve names below it which are not in any of your own zones.

Other than this particular scenario, I am not aware of any situation where the setting has any effect.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • As an interesting sidenote: The `forwarders{}` statement of a zone can be implicit, i.e. inherited from global configuration. This can result in quite some headaches why delegations are not working as expected ;) – Marki May 03 '22 at 13:37
1

Any query that your nameserver cannot resolve locally will be sent to that address, effectively asking it to resolve the query on your server's behalf (ie a recursive query).

This is often done for networking reasons - say you don't want your corporate DNS exposed directly to the Internet, you could create a forrwarder to a DMZ name server, which will query Internet on its behalf.

Andy
  • 1,101
  • 1
  • 7
  • 10
  • Thanks for your answer. I know the principe of forwarding, but what's the point of setting it in a master zone? In my case, the `forward` and `forwarders` options are not globally set. – nouney Aug 11 '15 at 13:26
  • @nouney I know this is very late to the party, but I posted an answer that elaborates on the scenario where this slightly peculiar combination of settings actually has an effect. – Håkan Lindqvist Jan 14 '21 at 18:17
0

Forwarders in the zone file are used when bind has no information for a particular domain that is still part of the authority of the zone.

For example, if you have zone foo.com, and you receive a request for user3.bar.foo.com, the forwarders will be queried on what the result should be, unless you have records for the bar.foo.com domain. You will have received the request, because you are the authoritative server for the foo.com domain.

Now, this is probably most useful to "unset" forwarders previously set. Using the previous example, if you unset the forwarders with forwarders { };, the NS servers for bar.foo.com will be queried, instead of any forwarders you have set up! This means you won't get stuck in an infinite loop of:

User's DNS Server -> foo.com DNS Server -> forwarder (i.e. Google DNS) --|
                             ^-------------------------------------------|
ConnorJC
  • 921
  • 1
  • 7
  • 19
  • Forwarding is just a special version of recursion handling, ie, it only applies to recursion requests, never to regular queries to authoritative servers. Also, the particular "forwarders on master zone" scenario of the question only actually applies to queries that cannot be answered based on the authoritative zone itself, which means it only actually applies to subdomains delegated elsewhere. If records are simply missing, that is trivially answerable based on the authoritative zone itself, no forwarding will happen as you already know the answer. – Håkan Lindqvist Jan 14 '21 at 18:13
  • 1
    Ie, if you ask about a name that simply does not exist in the zone, you will still get `NXDOMAIN` as expected; no forwarding necessary if you are the authority and you can see in your own zone that the name doesn't exist. – Håkan Lindqvist Jan 14 '21 at 18:14
-1

There is very little chance it works. Because it would mean that the 8.8.8.8 server has a delegation of a subdomain on this master zone declaration.

8.8.8.8 is not an authoritative server. This BIND configuration does not make sense.

jyb
  • 29
  • 2