Firewall and DNS Forwarders

Barry Margolin barmar at bbnplanet.com
Wed Sep 29 20:58:41 UTC 1999 

In article <199909291929.NAA12284 at llama.swcp.com>,
Bill Larson <wllarso at swcp.com> wrote:
>I'm leaning towards this solution 3, but have concerns.  The concern
>that I have is that I remember something from a long time ago about NOT
>chaining together forwarders.  I believe that this came from the
>DNS&BIND book, but am not sure.  Can anyone confirm or deny this?

The DNS&BIND book does indeed recommend against chaining forwarders; it's
in the note on p.246 of the 3rd edition.  It doesn't explain why, though.
I think the reason is just to keep things understandable, as mentioned in
the paragraph before the note.  Chaining forwarders doesn't generally buy
you much.

>If you should not chain forwarders, why not?  Is there a weakness in
>the DNS logic for doing this?

I think the weakness is only in the ability of humans to keep track of
complex relationships among their server configurations.  Neither the DNS
protocol nor the BIND implementation should have any problem with chained
forwarders.

Actually, one technical problem I can think of is the introduction of
multiple delays.  If the outside forwarder has to query multiple remote
servers because of timeouts, the inside forwarder may timeout before it's
done.  You may be able to solve this by listing the outside forwarder
multiple times in the "forwarders" statement -- it will try it again when
it times out the first time (this worked in BIND 4 -- I haven't checked
whether BIND 8 added duplicate removal, which would defeat this).

>Would there be a better solution?

I would probably go with your solution 1, especially if your firewall is
stateful and will only allow inbound DNS responses if they're in reply to
outbound DNS queries (by checking the addresses and ports against recent
outbound packets).

>Another, related question.  What is the maximum number of forwarders
>that can be specified in a BIND configuration?

named has few arbitrary limits, and I doubt it has a limit on forwarders.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list