Practical Uses of Forwarding | The Concise Guide to DNS and BIND

Forwarding can be quite handy. If your Internet access is slow, or metered, if you pay for each byte that goes over your connection, using forwarding is recommended. Forwarding is simply telling your DNS to forward queries to another DNS server,which will resolve the query on its behalf. Or perhaps, forward it further. This has a synergy effect with caching. If several servers forward queries to one server its cache will grow large and it will be quite likely to have the answer cached.

The Australian Academic and Research Network

A rather extreme example of this is the Australian Academic and Research Network, AARNet2. The network is shared among many institutions in Australia, and they all share one Internet link to the US. The link is of course overloaded in addition to being very expensive, and even more expensive to upgrade to a faster speed. To help discourage unneeded traffic to the US, and to help keep the link usable, its use is in fact metered and paid for, by megabyte. When a FTP archive inside AARNet2 fetches a CD-ROM image, about 700MB, it is expensive. Due to the cost the Australians have been very organized about how they give access to the goods of the Internet. All manner of traffic is concentrated in a hierarchy, and only very few DNS servers inside AARNet2 have access to the US link. The same goes for Usenet and other traffic that can be organized in this way. They also have large software mirrors on AARNet2 so people tend to get software from them instead of from other places in the world.

The congestion of the US link also adds two other factors: First UDP packets, which DNS uses, are often discarded by routers when networks are congested. So the DNS query might not get through to the outside. This causes retries, which adds to the traffic. If many servers are doing retries the traffic will raise proportionally. Second, the network delay, both due to the congestion, but also due to the sheer length of the network link combined with the limited speed of light causes a significant delay even when queries and answers do get through. When the delay is longer than the timeout in BIND this also causes retries. They clearly do not want every other server to have its own BIND querying DNS across the US link.

A typical setup in Australia is that an AARNet2 member concentrates all its DNS traffic to one DNS server. This server has access to a regional DNS server, which then forwards to the national DNS service, which in turn puts the query on the US link. Each level of forwarding concentrates the traffic and increases the likelihood that a cached answer is found. The structure of AARNet2 and DNS forwarding in it is shown in Figure 3.1.

Figure 3.1. Within each region the members connect to the regional hub, which in turn connects to the national hub. The DNS forwarding structure mirrors this, queries being forwarded through each level until a cached answer is found or the national hub resolves it.

graphics/03fig01.gif

Thanks to Glen Turner of the University of Adelaide for graciously providing information about AARNet2.

Forwarding in Your Network

Although your network is probably smaller than AARNet2, using forwarding makes sense in most corporate networks, or in any firewalled network with more than a few nameservers. Allowing only one or two nameservers through the firewall simplifies firewall administration, and the concentration also results in the same wins from large caches resulting in fewer queries over your external link. But also, if you run a small company it makes sense to forward queries to your ISPs nameservers, they are quite likely to have the answer cached even if you don't. Forwarded queries result in less bytes than a complete resolution by your own nameserver. Anyone with a link with high latency, say a 33Kbps modem or even 64Kbps ISDN, and many cable modems and frame relay users, should be able to notice a difference.

Forwarding is configured inside the options section of named.conf:

 [ forward ( only | first ); ]  [ forwarders { [ in_addr ; [ in_addr ; … ] ] }; ]

The first line chooses between the two main modes of forwarding. "Forward only" does what the name implies, you named will never attempt to resolve names on its own, it will always forward the queries. When "forward first" is chosen it will first forward the query, and if that fails it will try to resolve the name itself. If the ISP nameserver can't resolve the query within a reasonable time your own nameserver will do it.

Inside many firewalls "forward only" to a designated site-wide DNS server will be needed to manage to resolve names. The firewall blocks DNS queries from any other host than the designated one. Peripheral nameservers will not be able to query the outside DNS directly in any case and trying to will only waste resources.