# changing DNS for a BIND setup



## artcurmudgeon (Feb 23, 2010)

Just got orders to point our DNS servers at a specific set of DNS servers that also provide blackhole dns services as well...

What I did was made a backup of named.root and then cleared out the info for the root servers and put in the info for the 3 DNS servers that I am told we will be pulling from.

The dns servers I have changed provide dns for our network and for the M$ box that does dhcp(dont even get me started on that)...

Is there a better way or is the way I did it okay?

Thanks


----------



## SirDice (Feb 23, 2010)

Set the forwarding hosts in the named.conf to those 3 DNS servers. Then set the option 'forward only'.

Leave the other files alone 


```
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
        forwarders {
                127.0.0.1;
        };
*/

// If the 'forwarders' clause is not empty the default is to 'forward first'
// which will fall back to sending a query from your local server if the name
// servers in 'forwarders' do not have the answer.  Alternatively you can
// force your name server to never initiate queries of its own by enabling the
// following line:
//      forward only;
```


----------



## DutchDaemon (Feb 23, 2010)

And don't forget to uncomment both options  (// and /* .. */).


----------



## artcurmudgeon (Feb 24, 2010)

welp, so far everything is running okay.

What I am wondering is if I used the forwarding statement, will there be a chance of anything deferring to the root servers?

The whole state is moving towards using these dns servers and I don't want anyone to come back to me and ask why we didn't just use them exclusively? (this is part of the fun of working for a school district)

Is there any reason not to use these dns servers in place of the root servers?

thanks


----------



## DutchDaemon (Feb 24, 2010)

I believe that using 'forward only' will actually forward everything. If you want to make sure, block 'tcp+udp/53' out to all but these three trusted DNS servers.


----------



## artcurmudgeon (Apr 5, 2010)

Okay I admit I was wrong, my original method while it did work made viewing some sites SLOW..

I went back and changed everything around and set the forwarding per your instruction.

And it worked like a champ.

Thanks again.


----------

