I am just setting up my BIND9-Server and it works well so far. I decided to integrate a little gimmick into the abilities of my DNS. I want it to resolve IANA-compliant domains like *.com and *.net by the DNS-server of my ISP but i also want to integrate OpenNIC-domains like .geek and .project by using a OpenNIC-DNS-Server as a forwarder.
So my forwarders section basically looks like this:
forwarders {
IP.OF.ISP.DNS;
IP.OF.OPENNIC.DNS;
}
Despite the fact that OpenNIC-DNS are able to resolve IANA-domains, i dont want to trust them, because hijacking important domains like paypal.com or ebay.com is simply too easy.
Is Bind9 asking for records of the forwarders step by step (from first ip to last ip) or is it asking arbitrarily? I want to go sure, that the DNS of my ISP has the top priority when resolving domains.
Is there any way i can "debug" the DNS-query directly on my DNS-Server to see what server it uses to look up the requested domain?
Best Answer
I've looked this up before, but I'm having trouble finding something better than this at the moment: https://lists.isc.org/pipermail/bind-users/2012-April/087455.html
BIND8 and onward consider each of the forwarders begin with "equal weight". Based on the SRTT of the responses, the nameserver begins to favor one over the other. A certain percentage of queries will always hit the one with higher latency, to retest the waters and keep the calculated weight preference fair. (bearing in mind that once a record is cached, the forwarders will not be consulted for it again until the TTL has expired)
In short, the forwarders directive is designed with redundancy and minimized latency in mind -- not in an active-standby failover model. This will not do what you want it to, and I am not aware of any BIND directives to reconfigure this behavior. I end up staring at BIND documentation a fair bit in my line of work so I feel pretty confident about this statement.