-
Print
-
DarkLight
-
PDF
How can I disable global forwarding for delegated subdomains?
When a nameserver receives a recursive query, it will first look to see if it has the answer in cache or is authoritative for the domain in which the answer for the name being queried should reside. Otherwise it will need to iterate - this means that it will itself need to send one or more non-recursive queries to other nameservers in order to obtain the answers.
When you have global forwarding configured, this is telling named that for any queries received, it should not attempt any iterative resolution itself, but instead should forward (to the specified list of servers) any queries where:
- it doesn't already have the answers cached.
- it's not authoritative for the zones in which the records being queried for should reside.
For example:
options {
...
forwarders {1.1.1.1 ; 2.2.2.2};
forward only;
...
}
Note the use of forward only. There is another option (forward first) that allows named to try the forwarders first, but if they don't respond or don't respond quickly enough, then iterative resolution will be attempted as the next step.
You can also disable forwarding on a per-zone basis by declaring the zone as type forward but with a null forwarders list in named.conf:
zone "not-forwarded-example.net" {
type forward;
forwarders {};
};
The example above is saying 'forward first to this list of forwarders that overrides the global setting - but since the list is null, attempt to resolve queries for this zone using iteration immediately'.
But what happens if you are authoritative for a domain, but have delegated a subdomain to another server? If your nameserver receives a query for a name in the delegated domain, what should it do?
This may at first glance be unintuitive to some, but unless you have configured it not to, the global forwarders directive will apply. This is because in order to resolve the names that are in the delegated zone, the recursive server has to send queries to the servers that have had the zone delegated to them. This is iteration - and this is why the global forwarders directive becomes applicable.
But it is possible to disable forwarding for delegated zones too - again by adding a null forwarders option to the master or slave zone option:
zone "with-delegation-example.net" {
type master;
file "zone.with-delegation-example";
forwarders {};
};