Firewall and DNS Forwarders
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Sep 29 22:30:23 UTC 1999
> In article <199909291929.NAA12284 at llama.swcp.com>,
> Bill Larson <wllarso at swcp.com> wrote:
> >I'm leaning towards this solution 3, but have concerns. The concern
> >that I have is that I remember something from a long time ago about NOT
> >chaining together forwarders. I believe that this came from the
> >DNS&BIND book, but am not sure. Can anyone confirm or deny this?
>
> The DNS&BIND book does indeed recommend against chaining forwarders; it's
> in the note on p.246 of the 3rd edition. It doesn't explain why, though.
> I think the reason is just to keep things understandable, as mentioned in
> the paragraph before the note. Chaining forwarders doesn't generally buy
> you much.
>
> >If you should not chain forwarders, why not? Is there a weakness in
> >the DNS logic for doing this?
>
> I think the weakness is only in the ability of humans to keep track of
> complex relationships among their server configurations. Neither the DNS
> protocol nor the BIND implementation should have any problem with chained
> forwarders.
>
> Actually, one technical problem I can think of is the introduction of
> multiple delays. If the outside forwarder has to query multiple remote
> servers because of timeouts, the inside forwarder may timeout before it's
> done. You may be able to solve this by listing the outside forwarder
> multiple times in the "forwarders" statement -- it will try it again when
> it times out the first time (this worked in BIND 4 -- I haven't checked
> whether BIND 8 added duplicate removal, which would defeat this).
BIND 8.2.1 had duplicate detection, but it also retries forwarders.
>
> >Would there be a better solution?
>
> I would probably go with your solution 1, especially if your firewall is
> stateful and will only allow inbound DNS responses if they're in reply to
> outbound DNS queries (by checking the addresses and ports against recent
> outbound packets).
>
> >Another, related question. What is the maximum number of forwarders
> >that can be specified in a BIND configuration?
>
> named has few arbitrary limits, and I doubt it has a limit on forwarders.
There is a effective limit of MAXNS (16).
Mark
>
> --
> Barry Margolin, barmar at bbnplanet.com
> GTE Internetworking, Powered by BBN, Burlington, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the grou
> p.
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list