Re: DNS forwarding

[Bill_Royds () pch gc ca]

I think it depends on how much you trust your ISP's cache. If you forward a
request to a cache, it might have been poisoned (filled with incorrect
lookups by a rogue DNS server). If you go directly to the root server, it
will be clean but will cost you delays in lookup and recursion costs. It is
safer to go to the root, but more expensive





 John McDermott <jjm () jkintl com> said

To:   firewall-wizards () nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  DNS forwarding





All,
I was recently discussing what one might do when forwarding DNS through a
firewall.  [ I know about the issues of using a non-transparent proxy, etc,
but that is not the issue here.]  My question is where to point the
firewall to resolve internal forwarded queries.

For example if internal host foo.local.net asks for www.external.com,
should the firewall forward the query directly to a root server or should
it forward the query to, for example, the ISP's cacheing server?

My thought has always been to forward to the local cacheing server to take
load off the root servers (in the example above, surely the info for an
appropriate .com server is cached in the ISP's server).  I have also heard
that all firewalls should forward to the root server.

What are your feelings on this, and is there some sort of definitive
recommendation?  I checked the firewalls FAQ and the DNS FAQ and I could
not find a "best practices" recommendation in either.  Maybe this has not
been addressed by the FAQs or maybe I have old versions.

Thanks,
--john
-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------

Attachment: att1.eml
Description: