Root server DNS traffic across Linux/ipchains firewall?
Steve Snyder
swsnyder at home.com
Thu Oct 21 23:42:18 UTC 1999
Barry Margolin wrote:
>
> In article <380F9639.90BC65C2 at home.com>,
> Steve Snyder <swsnyder at home.com> wrote:
> >Given these circumstances, it seems reasonable to assume that I will
> >only be contacted by 15 specific addresses: my ISP's 2 nameservers and
> >the 13 root nameservers.
> >
> >Is this a valid assumption?
>
> No. When you query a root nameserver it will return a referral to the
> authoritative server for the domain you're asking about. You will then
> query that server. Queries to root servers and authoritative servers don't
> have the recursion_desired flag set, and the root servers all have
> recursion disabled.
>
> If you want to receive DNS responses only from addresses you put in your
> firewall rules, configure "forward only", and then you'll only query your
> ISP's nameservers. This means you won't have a fallback if both of your
> ISP's servers die at the same time, but hopefully this will be unlikely.
Thanks for pointing out this gotcha.
***** Steve Snyder *****
More information about the bind-users
mailing list