UNIX System Administration Handbook - Evi Nemeth [253]
See page 691 for more information about virtual interfaces.
If your site has a firewall, you can use the query-source option to give external DNS queries a specific, recognizable profile. You typically set named to use port 53 as the source port so that the firewall can recognize outbound DNS traffic as trustworthy packets from one of your name servers.
forwarders { in_addr; in_addr; ... }; [empty list]
forward only | first; [first]
Instead of having every name server perform its own external queries, you can designate one or more servers as forwarders. A run-of-the-mill server can review its cache and the records for which it is authoritative, and if it doesn’t find the answer it’s looking for, it can then send the query on to a forwarder host. That way, the forwarders build up caches that benefit the entire site. Forwarders reduce the load on your network, limit CPU and memory use on weaker servers, increase performance for users, and reduce your reliance on external Internet connectivity. Many sites designate their more powerful and memory-rich servers as forwarders.
A medium-sized site can construct a very efficient DNS system with a series of caching servers that point to just one or two forwarders. Large sites may need a hierarchy of forwarders. The example on page 431 uses a two-level forwarding scheme.
The forwarders option lists the IP addresses of the servers you want to use as forwarders. They are queried in turn. The use of a forwarder circumvents the normal DNS procedure of starting at a root server and following the chain of referrals. Be careful not to create forwarding loops.
A forward only server caches values and queries forwarders, but it never queries anyone else. If the forwarders do not respond, queries will fail. A forward first server prefers to deal with forwarders but will process queries directly if need be.
Since the forwarders option has no default value, forwarding does not occur unless it has been specifically configured. You can turn on forwarding either globally or within individual zone statements.
allow-query { address_match_list }; [all hosts]
allow-transfer { address_match_list }; [all hosts]
blackhole { address_match_list }; [empty]
These options let you specify which hosts (or networks) can query your name server and request block transfers of your zone data. The blackhole address list identifies servers that you never want to talk to; named will not accept queries from these servers and will not ask them for answers.
sortlist { address_match_list }; [should die, don't use]
We mention this option only to warn you away from it. The sortlist option should go away and die. Its purpose was to help along primitive resolvers that don’t sort record sets properly. It lets you specify the order that multiple answers are returned and works against current BINDs’ internal smarts.
Other BIND options that meddle with the order of things are the rrset-order statement, which specifies whether to return multiple answers in cyclic (round robin), fixed, or random order, and the topology statement, which tries to second-guess BIND’s system for selecting remote servers to query. In most cases there is no need to use these statements, either.
The acl statement
An access control list is just a named address match list:
acl acl_name {
address_match_list
};
You can use an access control list anywhere that an address match