Forwarding is using another name server -- called a "forwarder" -- to perform recursive lookups. It is commonly used when you don't want to (or can't) interact with the Internet. Instead of handling the lookups itself, the queries are forwarded on to another server which will provide answers and query outside name servers on behalf of the internal server. A properly configured forwarding configuration can provide protection from the current security vulnerability.
In the case that organizations can not quickly patch servers running vulnerable code, extra servers can be deployed with newly patched BIND 9 and the old servers can be reconfigured to point to them as forwarders.
Also if the environment suffers from a NAT/PAT issue (de-randomizing ports), then pointing to a forwarder outside the NAT but still on the controlled network is very safe. If this name server is outside the NAT, it won't be vulnerable to this de-randomization issue.
ISC is currently providing a secure forwarding service for support customers. Through September 30, 2008, ISC support customers have the option of forwarding their recursive servers' queries to caching resolvers deployed on ISC's SNS production network while the required software upgrades are performed on their own networks.
Other secure forwarding services include Neustar dnsadvantage and OpenDNS. OpenDNS is a free caching recursive DNS service which has been confirmed as not susceptible to the attack. Note that OpenDNS does NXDOMAIN remapping -- taking you to advertising webpage. This can be disabled. The OpenDNS name servers as listed at https://www.opendns.com/start are 208.67.222.222 and 208.67.220.220.
BIND can be easily configured to use a forwarder with the "forwarders" option which lists the IPs of the servers to relay queries to. Multiple forwarders may be used and the fastest server is used most frequently.
The default is to query the forwarders first and then fall back to look for the answer itself if a forwarder doesn't answer it. To only use forwarders (and not do normal lookups), use the "forward only;" option.
The following example for named.conf shows a simple way to uses forwarders:
options {
// only use forwarders; don't lookup on own
forward only;
// replace with IPs for your secure forwarders
forwarders { 192.168.100.12; 10.0.54.5; };
};
Firewalls should be configured to allow DNS transactions between the internal server and the external server servicing the forwarded requests.
More information about forwarding is in chapter 6 of the BIND Administrator Reference Manual.