Re: DNS forwarding

["Randy Garbrick" <garbrir () hotmail com>]

Depends on the architecture.  It should be pointed at the primary DNS 
server for your domain.  That could be a local server in your DMZ or the 
ISP's server. However, if primary DNS is provided by your firewall then 
it should be pointed at either the root servers or the ISP's server.  To 
me, the decision whether to point at the ISP's server or the root would 
be one of performance.  If the ISP is large, it will most likely have a 
great deal of locally cached information, which would make it faster 
unless it is over-used.  The round-trip time to your ISP should be much 
lower than to the root and it might have the host you want cached 
instead of sending you to the destination domain's primary DNS.  The 
root servers will always send you to the destination domain's primary 
DNS.  If the ISP is small, it is most likely just an extra hop on the 
way the root.

Randy Garbrick

> From owner-firewall-wizards () nfr net Fri Oct  2 19:34:25 1998
> Received: from nfr.net (tower.nfr.net [208.196.145.10]) by 
mailrelay.data-io.com (8.7.3/8.7.3) with ESMTP id TAA20014 for 
<rgarb () data-io com>; Fri, 2 Oct 1998 19:34:28 -0700 (PDT)
> Received: (from lists@localhost)
>       by nfr.net (8.8.8/8.8.8) id MAA14884
>       for firewall-wizards-outgoing; Fri, 2 Oct 1998 12:56:26 -0500 (CDT)
> Received: (from fwiz@localhost)
>       by nfr.net (8.8.8/8.8.8) id MAA14868
>       for firewall-wizards () nfr net; Fri, 2 Oct 1998 12:56:11 -0500 (CDT)
> Received: from mail.iex.net (mail.iex.net [192.156.196.5])
>       by nfr.net (8.8.8/8.8.8) with ESMTP id KAA24672
>       for <firewall-wizards () nfr net>; Thu, 1 Oct 1998 10:08:11 -0500 (CDT)
> Received: from jjm.jkintl.com (pppaf05.newmex.com [207.199.61.21]) by 
mail.iex.net (8.8.5/8.7.5) with SMTP id JAA14024 for 
<firewall-wizards () nfr net>; Thu, 1 Oct 1998 09:03:25 -0600 (MDT)
> Date: Thu,  1 Oct 98 09:01:45
> From: John McDermott <jjm () jkintl com>
> Subject: DNS forwarding
> To: firewall-wizards () nfr net
> X-PRIORITY: 3 (Normal)
> X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc.
> Message-ID: <Chameleon.907254553.jjm () jjm jkintl com>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> Sender: owner-firewall-wizards () nfr net
> Precedence: bulk
> Reply-To: John McDermott <jjm () jkintl com>
>
>
> All,
> I was recently discussing what one might do when forwarding DNS through 
a 
> firewall.  [ I know about the issues of using a non-transparent proxy, 
etc, 
> but that is not the issue here.]  My question is where to point the 
> firewall to resolve internal forwarded queries.
>
> For example if internal host foo.local.net asks for www.external.com, 
> should the firewall forward the query directly to a root server or 
should 
> it forward the query to, for example, the ISP's cacheing server? 
>
> My thought has always been to forward to the local cacheing server to 
take 
> load off the root servers (in the example above, surely the info for an 
> appropriate .com server is cached in the ISP's server).  I have also 
heard 
> that all firewalls should forward to the root server.
>
> What are your feelings on this, and is there some sort of definitive 
> recommendation?  I checked the firewalls FAQ and the DNS FAQ and I 
could 
> not find a "best practices" recommendation in either.  Maybe this has 
not 
> been addressed by the FAQs or maybe I have old versions.
>
> Thanks,
> --john
> -------------------------------------
> Name: John McDermott
> VOICE: 505/377-6293 FAX 505/377-6313
> E-mail: John McDermott <jjm () jkintl com>
> Writer and Computer Consultant
> -------------------------------------


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com