I have inherited a internal DNS solution at my new company and I want to start to improve its reliability! At the moment there is one Master for the internal domain which forwards external DNS lookups to our ISP. There is one slave which only seems to resolve internal requests.
For improved resiliency should I be setting the slave to forward internet lookups as well?
Thanks for any help.
Yes, slave should be the same as master in all regards, except that it has a reference to master to feed for any other changes. The purpose of a slave DNS is exactly to continue doing what master was doing until it failed.
Keep in mind that a DNS server is master for a zone and slave for a zone. It is common practice that one has all the domains under his technical administrative control in one server as master zones (and we call the server "master") and the same zones designated as slaves for the rest of the nameservers (and therefore we call them "slave" servers). But (assuming for example two servers) there is nothing that stops someone to run some zones as master and some as slaves on the first and vice-versa for the second. Or even running the zones as master zones on both servers (even though this creates administrative overhead and will lead to errors easily).
Master and slave then are terms to be used about zones that the nameservers know to answer queries about with absolut certainty and without having to forward the question to another server. There exist people (and software and the combination of both) that split the roles between master / slave and caching servers. People who use bind for example can combine all three roles in one instance and I am assuming that you are running BIND or something similar. And having a second server to ask for lookups when the first fails definitely helps. It helps more when they are not both on the same subnet / LAN for if there exists a connectivity problem for one, it most probably affects the other too. Having them in separate networks may sometimes help (imagine the first network being cutoff from the network, while the second server is fully connected. If you can query the second server you will have DNS lookups). Although I am not a fan of djbdns, this page is a good starting point on the various DNS strategies one can deploy.
In most cases the secondary server is never going to be queried for any lookups, internal or external. Assuming that all of your DNS clients have the primary server listed as their primary DNS server and have the secondary server listed as their secondary DNS server, the only reason a DNS client would ever query the secondary is if the primary server were unavailable. If that in fact describes the problem you're dealing with, then I think you're addressing it from the wrong direction. If you are having problems with the stability and reliability of the primary server then my suggestion would be to fix those issues. This is of course based on the assumption that your set up is fairly basic; one site (office, location, etc), 2 DNS servers (primary and secondary), and that all of your DNS clients are configured to use the primary server as their primary DNS server and the secondary server as their secondary DNS server.
That being said, the secondary should be capable of resolving external queries. There are scenarios where the secondary may come in to play:
The primary server is unavailable
The secondary server is set as the primary DNS server for some DNS clients.
Etc., etc.
