In article ,
Tom Allison wrote:

> Hello,
>
> I'm trying to do two things with forwarders.
>
> The first is to forward requests to my ISP DNS servers to avoid hitting
> the root servers where I can. Originally I am pretty sure that my
> options{ forwarders...} was working correctly, but I can't validate that
> using dig.


Why do you want to add an extra lookup hop, and a potential point of
failure? You'll probably get better performance by going to the root
servers directly.

>
> The second is to forward a specific zone to another subnet (VPN) for
> domain resolution. This second subnet has it's own domain servers and I
> would like to utilize them for that subnet for simplicity.
>
> using things like dig +trace, it appears that I am using neither one of
> my forwarders.
>
> So, two questions:
> What is the correct method of using dig to validate that my forwarders
> are working correctly -- what should I see and what should I not see?


I don't think you can see it using dig. Dig only shows what's going on
between the client and server, it doesn't have any way of showing what
the server does. If you want to verify your forwarders are working, use
tcpdump or Ethereal to capture the DNS packets and see where they're
going.

>
> Is the following format actually correct? It doesn't act like it.
>
> Currently I have the following in my named.conf:
>
> options {
> notify no;
> forwarders {
> 24.169.224.226;
> 24.169.224.230;
> };
> forward first;
>
> auth-nxdomain no; # conform to RFC1035
>
> allow-query {
> 192.168.3/24;
> 192.168.30/24;
> 127.0.0/24;
> };
>
> allow-transfer { none; };
> recursion yes;
> };
>
>
> zone "vpndomain.com" {
> type forward;
> //forward first;
> forwarders { 192.168.30.2; };
> //allow-query { 192.168.3.0/24; };
> };
>
> zone "30.168.192.in-addr.arpa" {
> type forward;
> //forward first;
> forwarders { 192.168.30.2; };
> //allow-query { 192.168.3.0/24; };
> };


--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***