Root server DNS traffic across Linux/ipchains firewall?

[Barry Margolin]

In article <380F9639.90BC65C2 at home.com>,
Steve Snyder  <swsnyder at home.com> wrote:
>Given these circumstances, it seems reasonable to assume that I will 
>only be contacted by 15 specific addresses: my ISP's 2 nameservers and 
>the 13 root nameservers.  
>
>Is this a valid assumption?

No.  When you query a root nameserver it will return a referral to the
authoritative server for the domain you're asking about.  You will then
query that server.  Queries to root servers and authoritative servers don't
have the recursion_desired flag set, and the root servers all have
recursion disabled.

If you want to receive DNS responses only from addresses you put in your
firewall rules, configure "forward only", and then you'll only query your
ISP's nameservers.  This means you won't have a fallback if both of your
ISP's servers die at the same time, but hopefully this will be unlikely.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.