Firewall Wizards mailing list archives
Re: DNS forwarding
From: Bill_Royds () pch gc ca
Date: Mon, 5 Oct 1998 09:45:30 -0400
I think it depends on how much you trust your ISP's cache. If you forward a request to a cache, it might have been poisoned (filled with incorrect lookups by a rogue DNS server). If you go directly to the root server, it will be clean but will cost you delays in lookup and recursion costs. It is safer to go to the root, but more expensive John McDermott <jjm () jkintl com> said To: firewall-wizards () nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: DNS forwarding All, I was recently discussing what one might do when forwarding DNS through a firewall. [ I know about the issues of using a non-transparent proxy, etc, but that is not the issue here.] My question is where to point the firewall to resolve internal forwarded queries. For example if internal host foo.local.net asks for www.external.com, should the firewall forward the query directly to a root server or should it forward the query to, for example, the ISP's cacheing server? My thought has always been to forward to the local cacheing server to take load off the root servers (in the example above, surely the info for an appropriate .com server is cached in the ISP's server). I have also heard that all firewalls should forward to the root server. What are your feelings on this, and is there some sort of definitive recommendation? I checked the firewalls FAQ and the DNS FAQ and I could not find a "best practices" recommendation in either. Maybe this has not been addressed by the FAQs or maybe I have old versions. Thanks, --john ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Attachment:
att1.eml
Description:
Current thread:
- DNS forwarding John McDermott (Oct 02)
- <Possible follow-ups>
- Re: DNS forwarding trall (Oct 05)
- Re: DNS forwarding Bill_Royds (Oct 05)
- Re: DNS forwarding Randy Garbrick (Oct 07)