Check out the 'noforward' patches available in the 'contrib'
of the BIND distribution server:
They will help you overcome the 'all or nothing' behavior of standard
It works nicely for us with several internal domains spread over the
and several firewalls to the 'net.
Bob Gammage wrote:
> Now we are implementing tighter security. This involves a
> FireWall that will not pass DNS-Queries and the vendor's
> suggestion is to implement forwarding on all our existing NS's.
> I have been tasked to do this with minimal additional hardware
> and minimal impact to our users.
> Unfortunately, forwarding appears to be an all-or-nothing
> proposition. So even if I create an internal-root NS (for
> the PARENT domain I assume) and replace the root cache on
> every other NS we have, I'm still unclear on how to gracefully
> choke queries of external NS's down to a single source