لطفا منتظر باشید ...
11.3 Building Up a Large, Sitewide Cache with Forwarders
Certain
network connections discourage sending large volumes of traffic
off-site, either because the network connection is pay-per-packet or
because it is a slow link with a high delay, as with a remote
office's satellite connection to the
company's network. In other cases, a firewall might
allow only certain name servers to send queries off the local network
to the Internet. In these situations, you don't
necessarily want your name server to follow the standard DNS
resolution algorithm and start by sending a query to a root name
server. A solution is called forwarding, which
changes the way a name server resolves queries it
can't answer itself.If you designate one or more servers at your site as forwarders, all
off-site queries are sent to the forwarders first. The idea is that
the forwarders handle all off-site queries generated at the site,
building up a rich cache of information. For any given query for a
remote domain, there is a high probability that the forwarder can
answer the query from its cache, avoiding the need for the other
servers to send packets off-site. Nothing special is done to these
servers to make them forwarders; you modify all the other servers at
your site to direct their queries through the forwarders.
It's worth pointing out that the terminology is a
little funny: a name server configured to forward (or, if you prefer,
with forwarding enabled) doesn't have an official
name, but we use the term forwarding name
server. A name server that receives queries forwarded from
forwarding name servers is called a forwarder.A primary or secondary name server's mode of
operation changes slightly when it is directed to use a forwarder. If
the requested information is already in its database of authoritative
data and cache data, it answers with this information; this part of
the operation hasn't changed. However, if the
information is not in its database, the name server sends the query
to its configured forwarders and waits a short period for an answer
before resuming normal operation and contacting the remote servers
itself. What the name server is doing that's
different is sending a recursive query to the
forwarder, expecting it to find the answer. At all other times, the
name server sends out nonrecursive queries to
other name servers and deals with responses that refer only to other
name
servers.
Microsoft has introduced a new feature called conditional forwarding
that makes forwarding even more flexible under Windows Server 2003.
In prior versions of the Microsoft DNS Server, all queries that
couldn't be resolved locally were sent to the same
set of forwarders. Using conditional forwarding, you can configure
the DNS server to use a different set of forwarders depending on the
domain name of the query. In our experience, this feature is most
useful in large networks or networks with a restrictive security
policy that limits Internet connectivity to certain hosts. For
example, consider a large network where, as in most networks, the
name servers need to know how to resolve both internal and external
names. One set of forwarderscall them set Amight have
complete knowledge of the organization's namespace,
while a different bunch of forwardersset Bmight have
access through the firewall to resolve Internet domain names. An
individual name server is authoritative only for a small number of
zones. This name server can resolve queries for names in its local
authoritative zones, but how does it resolve other names? If a query
is for an internal name, the name server needs to forward to the
"A" forwarders, but any external
names can only be resolved by the
"B" forwarders. With conditional
forwarding, such a configuration is a snap.Forwarding is configured by selecting the Forwarders tab on the server properties
window. Figure 11-9 shows how a
movie.edu name server is configured to forward
all queries to wormhole and
terminator. And remember, forwarding is
configured on every name server except the
forwarders themselveswormhole and
terminator in this case.
Figure 11-9. Forwarders configuration tab
To enable forwarding,
you
need to specify forwarders for a specific domain or the default of
All other DNS domains. The default
applies when no other configured domain matches. You can specify up
to six forwarders for each domain. The name server forwards to them
in the order in which they're listed, using a
default timeout of five seconds per forwarder; that is, if the first
forwarder doesn't respond within five seconds, try
the next, wait five more seconds, try the next, and so on. The
forwarding timeout can be changed with the Number of seconds before forward queries time out
field.When you use forwarders, try to keep your site configuration simple.
Otherwise, you can end up with configurations that are really
twisted. Follow these tips:Avoid having "midlevel" servers
forward packets (that is, avoid configuring forwarding on your
midlevel name servers). Midlevel servers mostly refer name servers to
subdomain name servers. If they have been configured to forward
packets, do they refer to subdomain name servers, or do they contact
the subdomain name server to find out the answer? Whichever way it
works, you're probably making your site
configuration too hard for mere mortals (and subdomain
administrators) to understand.Avoid chaining your forwarders. Don't configure
server a to forward to server
b, and configure server b
to forward to server c (or worse yet, back to
server a).
11.3.1 A More Restricted Forwarding Name Server
You may want to
restrict your name servers even
furtherstopping them from even trying to
contact an off-site server if their forwarder is down or
doesn't respond. You can do this by telling the
server not to fall back to using the recursive resolution process if
no forwarders respond: check the Do not use
recursion for this domain box on the Forwarders configuration tab (see Figure 11-9). The terminology is confusing: this checkbox
has nothing to do with the kind of query being sent to the
forwarders. As we said earlier, a name server that's
forwarding always sends a recursive query to its forwarders. What
this checkbox determines is what happens after that recursive query
is sent, which we discuss next. The BIND name server configuration
syntax calls this kind of forwarding name server a
forward-only server, which we think is a good
name.A forward-only server is a variation on a server that forwards. It
still answers queries from its authoritative data and cache data.
However, it relies completely on its forwarders; it
doesn't try to contact other servers for information
if the forwarders don't give it an answer.However, you must ask yourself if it ever makes sense to use a
forward-only server. Such a server is completely dependent on the
forwarders. You can achieve much the same configuration (and
dependence) by not running a forward-only server at all; instead,
configure your hosts' resolvers to point to the
forwarders you were using. Thus, you are still relying on the
forwarders, but now your applications are querying the forwarders
directly instead of having a forward-only name server query them for
the applications. You lose the local caching the forward-only server
would do, but you reduce the overall complexity of your site configuration
by running fewer "restricted" name
servers.
