Firewall and DNS Forwarders

Mark_Andrews at isc.org Mark_Andrews at isc.org
Wed Sep 29 22:30:23 UTC 1999


> In article <199909291929.NAA12284 at llama.swcp.com>,
> Bill Larson <wllarso at swcp.com> wrote:
> >I'm leaning towards this solution 3, but have concerns.  The concern
> >that I have is that I remember something from a long time ago about NOT
> >chaining together forwarders.  I believe that this came from the
> >DNS&BIND book, but am not sure.  Can anyone confirm or deny this?
> 
> The DNS&BIND book does indeed recommend against chaining forwarders; it's
> in the note on p.246 of the 3rd edition.  It doesn't explain why, though.
> I think the reason is just to keep things understandable, as mentioned in
> the paragraph before the note.  Chaining forwarders doesn't generally buy
> you much.
> 
> >If you should not chain forwarders, why not?  Is there a weakness in
> >the DNS logic for doing this?
> 
> I think the weakness is only in the ability of humans to keep track of
> complex relationships among their server configurations.  Neither the DNS
> protocol nor the BIND implementation should have any problem with chained
> forwarders.
> 
> Actually, one technical problem I can think of is the introduction of
> multiple delays.  If the outside forwarder has to query multiple remote
> servers because of timeouts, the inside forwarder may timeout before it's
> done.  You may be able to solve this by listing the outside forwarder
> multiple times in the "forwarders" statement -- it will try it again when
> it times out the first time (this worked in BIND 4 -- I haven't checked
> whether BIND 8 added duplicate removal, which would defeat this).

	BIND 8.2.1 had duplicate detection, but it also retries forwarders.
> 
> >Would there be a better solution?
> 
> I would probably go with your solution 1, especially if your firewall is
> stateful and will only allow inbound DNS responses if they're in reply to
> outbound DNS queries (by checking the addresses and ports against recent
> outbound packets).
> 
> >Another, related question.  What is the maximum number of forwarders
> >that can be specified in a BIND configuration?
> 
> named has few arbitrary limits, and I doubt it has a limit on forwarders.

	There is a effective limit of MAXNS (16).

	Mark
> 
> -- 
> Barry Margolin, barmar at bbnplanet.com
> GTE Internetworking, Powered by BBN, Burlington, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the grou
> p.
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list