Firewall Wizards mailing list archives
Re: DNS forwarding
From: "Randy Garbrick" <garbrir () hotmail com>
Date: Wed, 07 Oct 1998 08:47:14 PDT
Depends on the architecture. It should be pointed at the primary DNS server for your domain. That could be a local server in your DMZ or the ISP's server. However, if primary DNS is provided by your firewall then it should be pointed at either the root servers or the ISP's server. To me, the decision whether to point at the ISP's server or the root would be one of performance. If the ISP is large, it will most likely have a great deal of locally cached information, which would make it faster unless it is over-used. The round-trip time to your ISP should be much lower than to the root and it might have the host you want cached instead of sending you to the destination domain's primary DNS. The root servers will always send you to the destination domain's primary DNS. If the ISP is small, it is most likely just an extra hop on the way the root. Randy Garbrick
From owner-firewall-wizards () nfr net Fri Oct 2 19:34:25 1998 Received: from nfr.net (tower.nfr.net [208.196.145.10]) by
mailrelay.data-io.com (8.7.3/8.7.3) with ESMTP id TAA20014 for <rgarb () data-io com>; Fri, 2 Oct 1998 19:34:28 -0700 (PDT)
Received: (from lists@localhost) by nfr.net (8.8.8/8.8.8) id MAA14884 for firewall-wizards-outgoing; Fri, 2 Oct 1998 12:56:26 -0500 (CDT) Received: (from fwiz@localhost) by nfr.net (8.8.8/8.8.8) id MAA14868 for firewall-wizards () nfr net; Fri, 2 Oct 1998 12:56:11 -0500 (CDT) Received: from mail.iex.net (mail.iex.net [192.156.196.5]) by nfr.net (8.8.8/8.8.8) with ESMTP id KAA24672 for <firewall-wizards () nfr net>; Thu, 1 Oct 1998 10:08:11 -0500 (CDT) Received: from jjm.jkintl.com (pppaf05.newmex.com [207.199.61.21]) by
mail.iex.net (8.8.5/8.7.5) with SMTP id JAA14024 for <firewall-wizards () nfr net>; Thu, 1 Oct 1998 09:03:25 -0600 (MDT)
Date: Thu, 1 Oct 98 09:01:45 From: John McDermott <jjm () jkintl com> Subject: DNS forwarding To: firewall-wizards () nfr net X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: <Chameleon.907254553.jjm () jjm jkintl com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-firewall-wizards () nfr net Precedence: bulk Reply-To: John McDermott <jjm () jkintl com> All, I was recently discussing what one might do when forwarding DNS through
a
firewall. [ I know about the issues of using a non-transparent proxy,
etc,
but that is not the issue here.] My question is where to point the firewall to resolve internal forwarded queries. For example if internal host foo.local.net asks for www.external.com, should the firewall forward the query directly to a root server or
should
it forward the query to, for example, the ISP's cacheing server? My thought has always been to forward to the local cacheing server to
take
load off the root servers (in the example above, surely the info for an appropriate .com server is cached in the ISP's server). I have also
heard
that all firewalls should forward to the root server. What are your feelings on this, and is there some sort of definitive recommendation? I checked the firewalls FAQ and the DNS FAQ and I
could
not find a "best practices" recommendation in either. Maybe this has
not
been addressed by the FAQs or maybe I have old versions. Thanks, --john ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- DNS forwarding John McDermott (Oct 02)
- <Possible follow-ups>
- Re: DNS forwarding trall (Oct 05)
- Re: DNS forwarding Bill_Royds (Oct 05)
- Re: DNS forwarding Randy Garbrick (Oct 07)