You may want to restrict your name servers even further - stopping them from even trying to contact an off-site server if their forwarder is down or doesn't respond. You can do this by making the server a forward-only server. (A forward-only server is still a primary master, slave, or caching-only server; don't get confused here. We call it a forward-only server because calling it a primary master, slave, or caching-only forward-only server is just too long a name.) A forward-only server is a variation on a server that uses forwarders. It still answers queries from its authoritative data and cache data. However, it relies completely on its forwarders; it doesn't try to contact other servers to find out information if the forwarders don't give it an answer. Here is an example of what a forward-only server's conf file would contain:
options { forwarders { 192.249.249.1; 192.249.249.3; }; forward-only; };
On a BIND 4 name server, that would look like:
forwarders 192.249.249.1 192.249.249.3 options forward-only
BIND name servers before 4.9 provide the same functionality, using the slave directive instead of the options forward-only directive:
forwarders 192.249.249.1 192.249.249.3 slave
Don't confuse this old use of the term "slave" with the modern use. "Slave" now means a name server that gets the data that describes a zone from a master server via a zone transfer.
You must have the forwarders line in the conf or boot file. It does not make sense to have only the forward-only line. If you do create a forward-only name server, you might want to consider including the forwarders' IP addresses more than once. On a BIND 8 server, that would look like:
options { forwarders { 192.249.249.1; 192.249.249.3; 192.249.249.1; 192.249.249.3; }; forward-only; };
On a BIND 4 server, that's:
forwarders 192.249.249.1 192.249.249.3 192.249.249.1 192.249.249.3 options forward-only
The forward-only server contacts each forwarder only once, and it waits a short time for the forwarder to respond. Listing the forwarders multiple times directs the forward-only server to retransmit queries to the forwarders, and increases the overall length of time that the forward-only name server will wait for an answer from forwarders.
However, you must ask yourself if it ever makes sense to use a forward-only server. A forward-only server is completely dependent on the forwarders. You can achieve much the same configuration (and dependence) by not running a forward-only server at all; instead, create a resolv.conf file that contains nameserver directives that point to the forwarders you were using. Thus, you are still relying on the forwarders, but now your applications are querying the forwarders directly instead of having a forward-only name server query them for the applications. You lose the local caching that the forward-only server would have done, and the address sorting, but you reduce the overall complexity of your site configuration by running fewer "restricted" name servers.