pure DNS forwarder

[Vasiliy Baranov]

Dear BIND gurus,

By any change, is it somehow possible to configure BIND as a pure
forwarder like this:

options {
directory "/var/named";
forwarders { <another server>; };
forward only;
};

// END OF /etc/named.conf

and so that it will not clear the AA (Authoritative Answer) flag in
responses from <another server> that have the AA flag set?

I understand this is odd but anyways?

Actually, I think even DNS-agnostic redirection would do the trick for
me, but cannot find a reliable readily available solution for both TCP
and UDP. Any ideas?

(BIND 9.3.4-P1, Solaris)

Thank you,
Vasiliy

[Barry Margolin]

In article <fnce4r$2c9f$1...@sf1.isc.org>,
Vasiliy Baranov <Vasiliy...@Sun.COM> wrote:

> Dear BIND gurus,
>
> By any change, is it somehow possible to configure BIND as a pure
> forwarder like this:
>
> options {
> directory "/var/named";
> forwarders { <another server>; };
> forward only;
> };
>
> // END OF /etc/named.conf
>
> and so that it will not clear the AA (Authoritative Answer) flag in
> responses from <another server> that have the AA flag set?
>
> I understand this is odd but anyways?

Sounds like you're asking for a DNS proxy rather than a DNS server.

> Actually, I think even DNS-agnostic redirection would do the trick for
> me, but cannot find a reliable readily available solution for both TCP
> and UDP. Any ideas?

I don't think there's a way to force it to retain the AA flag. If you
just want to prevent it from caching, you could use the max-cache-ttl
and max-ncache-ttl options, setting them very low.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

[Vasiliy Baranov]

Barry Margolin wrote:
> In article <fnce4r$2c9f$1...@sf1.isc.org>,
> Vasiliy Baranov <Vasiliy...@Sun.COM> wrote:
>

>> Dear BIND gurus,
>>
>> By any change, is it somehow possible to configure BIND as a pure
>> forwarder like this:
>>
>> options {
>> directory "/var/named";
>> forwarders { <another server>; };
>> forward only;
>> };
>>
>> // END OF /etc/named.conf
>>
>> and so that it will not clear the AA (Authoritative Answer) flag in
>> responses from <another server> that have the AA flag set?
>>
>> I understand this is odd but anyways?
>>
>

> Sounds like you're asking for a DNS proxy rather than a DNS server.
>

Yes, although people often use the term DNS proxy when referring to
something serving ordinary clients so the AA flag isn't important. In my
situation it is desirable for the proxy to be indistinguishable from
<another server> by the AA flag.

>
>> Actually, I think even DNS-agnostic redirection would do the trick for
>> me, but cannot find a reliable readily available solution for both TCP
>> and UDP. Any ideas?
>>
>

> I don't think there's a way to force it to retain the AA flag. If you
> just want to prevent it from caching, you could use the max-cache-ttl
> and max-ncache-ttl options, setting them very low.

Yes, I also want to prevent it from caching but making it appear as
<another server> is more important for now.

Thank you,
Vasiliy

[Barry Margolin]

In article <fncrnd$b7a$1...@sf1.isc.org>,
Vasiliy Baranov <Vasiliy...@Sun.COM> wrote:

> Yes, I also want to prevent it from caching but making it appear as
> <another server> is more important for now.

Why?

Are you trying to delegate to thise server, but have it actually get the
data from another server? This is a common goal, and AFAIK there's no
solution with BIND. Maybe some other nameservers can do it, though.

Why not configure it as a slave rather than forwarder?

[Danny Mayer]

Vasiliy Baranov wrote:
>> Sounds like you're asking for a DNS proxy rather than a DNS server.
>>
>
> Yes, although people often use the term DNS proxy when referring to
> something serving ordinary clients so the AA flag isn't important. In my
> situation it is desirable for the proxy to be indistinguishable from
> <another server> by the AA flag.
>

There is no such thing as a DNS proxy. DNS caches and doesn't need
proxies. It is not possible to set the AA flag as it's not authorative
for the zone.

Danny

[Barry Margolin]

In article <fngr0i$101e$1...@sf1.isc.org>, Danny Mayer <ma...@gis.net>
wrote:

> Vasiliy Baranov wrote:
> >> Sounds like you're asking for a DNS proxy rather than a DNS server.
> >>
> >
> > Yes, although people often use the term DNS proxy when referring to
> > something serving ordinary clients so the AA flag isn't important. In my
> > situation it is desirable for the proxy to be indistinguishable from
> > <another server> by the AA flag.
> >
>
> There is no such thing as a DNS proxy.

Many home broadband routers include DNS proxies. Computers on the LAN
can point their resolvers to the router, and it will relay the queries
to the DNS servers in its configuration (usually learned from the ISP
via DHCP, but may be statically configured instead). It doesn't do any
caching, and just relays the queries and responses without modification,
except for doing NAT.

[Vasiliy Baranov]

Barry Margolin wrote:
> In article <fncrnd$b7a$1...@sf1.isc.org>,

> Vasiliy Baranov <Vasiliy...@Sun.COM> wrote:
>
>
>> Yes, I also want to prevent it from caching but making it appear as
>> <another server> is more important for now.
>>
>

> Why?
>
> Are you trying to delegate to thise server, but have it actually get the
> data from another server?

Yes.

> This is a common goal, and AFAIK there's no
> solution with BIND. Maybe some other nameservers can do it, though.
>
> Why not configure it as a slave rather than forwarder?
>
>

The set of zones is too dynamic.

Regards,
Vasiliy