• Print
  • Share
  • Dark

How can I disable global forwarding for delegated subdomains?

  • Updated on 10 Oct 2018
  • 2 minutes to read
  • Contributors 

When a nameserver receives a recursive query, it will first look to see if it has the answer in cache or is authoritative for the domain in which the answer for the name being queried should reside. Otherwise it will need to iterate - this means that it will itself need to send one or more non-recursive queries to other nameservers in order to obtain the answers.

When you have global forwarding configured, this is telling named that for any queries received, it should not attempt any iterative resolution itself, but instead should forward (to the specified list of servers) any queries where:

  • it doesn't already have the answers cached.
  • it's not authoritative for the zones in which the records being queried for should reside.

For example:

options {
forwarders { ;};
forward only;

Note the use of forward only. There is another option (forward first) that allows named to try the forwarders first, but if they don't respond or don't respond quickly enough, then iterative resolution will be attempted as the next step.

You can also disable forwarding on a per-zone basis by declaring the zone as type forward but with a null forwarders list in named.conf:

zone "not-forwarded-example.net" {
       type forward;
       forwarders {};

The example above is saying 'forward first to this list of forwarders that overrides the global setting - but since the list is null, attempt to resolve queries for this zone using iteration immediately'.

But what happens if you are authoritative for a domain, but have delegated a subdomain to another server? If your nameserver receives a query for a name in the delegated domain, what should it do?

This may at first glance be unintuitive to some, but unless you have configured it not to, the global forwarders directive will apply. This is because in order to resolve the names that are in the delegated zone, the recursive server has to send queries to the servers that have had the zone delegated to them. This is iteration - and this is why the global forwarders directive becomes applicable.

But it is possible to disable forwarding for delegated zones too - again by adding a null forwarders option to the master or slave zone option:

zone "with-delegation-example.net" {
       type master;
       file "zone.with-delegation-example";
       forwarders {};

Global forward (only | first) is not inherited when using forwarders both globally and in a zone statementNote that in both examples above, although the zone is type forward, it doesn't inherit the 'forward only|first' global setting (if there is one). The default is forward first. This means that by declaring a null forwarders list, all queries for names in and below zone not-forwarded-example.net and in delegated subdomains of with-delegation-example.net will be resolved iteratively (assuming that recursion is allowed). In the case of with-delegation-example.net, named will start iterating from the delegation NS records in the zone that it has loaded.

Problems with this site? Email us at marketing@isc.org