Firewall and DNS Forwarders

Bill Larson wllarso at swcp.com
Wed Sep 29 19:29:05 UTC 1999 

I have a situation where we ***REALLY*** need to block most all DNS
traffic from going through our firewall.  At the same time, we still
need to support DNS queries from inside the firewall to outside
servers.  The firewall would be programmed to only allow traffic to, or
from, a specific set of name servers that management controls.  For
users that run their own name servers, they will have to be
re-configured as forwarding name servers using the name servers that we
are managing as possible forwarding destinations.

I can imagine three possible solutions to our situation by configuring
sets of name servers on one side or the other of the firewall (or
both), and limiting port 53 traffic to be either originating from, or
destined to, these servers.  In all situations, NO DNS queries would be
allowed that initiate from outside of the firewall destined for an IP
address inside the firewall.  Possible setups include:

    1.  Have a set of name servers on the inside and have the firewall
	limit outgoing DNS traffic originating from only these
	servers.

    2.  Have a set of name servers on the outside and have the firewall
        limit outgoing DNS traffic to only these servers.

    3.  Have a set of forwarding name servers on the inside which
	forward to a set of name servers on the outside and have the
	firewall limit DNS traffic to only traffic between these two
	sets of servers.

Solutions 1 and 2 seem straight forward, but I have concerns with the
potential amount of DNS traffic flowing through the firewall.  In this
respect, solution 1 (internal servers) appears the best.

Solution 3 sounds even better because we can control the systems on
BOTH sides of the firewall and employ the tightest controls on traffic
through the firewall.

I'm leaning towards this solution 3, but have concerns.  The concern
that I have is that I remember something from a long time ago about NOT
chaining together forwarders.  I believe that this came from the
DNS&BIND book, but am not sure.  Can anyone confirm or deny this?

If you should not chain forwarders, why not?  Is there a weakness in
the DNS logic for doing this?

Would there be a better solution?

Another, related question.  What is the maximum number of forwarders
that can be specified in a BIND configuration?

Thanks,

Bill Larson (wllarso at swcp.com)

More information about the bind-users mailing list