Arguments for/against use of forwarders{}?

Simon Waters Simon at wretched.demon.co.uk
Mon May 21 17:27:17 UTC 2001


Steve Snyder wrote:
> 
> What are the relative merits of using or not using the forwarders option?

I've been known on the list as a "pro-forwarder" - if we're
going to get political *8) 

> My nameserver (BIND v9.1, running on Linux) provides name resolution for
> the rest of my LAN.  This server in turn can resolve queries sent to it in
> 1 of 2 ways: either by contacting the root name servers or by forwarding
> the query to my ISP's nameservers.  For the long term (i.e. caching) which
> is the better method?

"My nameserver" singular - and the guys are worrying about
the target(s!?) of forward directives being a single point
of failure. I suggest you want two or more nameservers -
otherwise you already have a single point of failure in your
DNS forwarding or not.
 
> I am not referring to a "forward first" or "forward only" choice, but to a
> simple config like this:

There are two primary reasons to consider forwarding;

Security: We need only exchange DNS packets with specific
DNS servers.

The idea being that this is an extra level of defence
against attacks like the recent tsig problem in BIND, to
attack my name servers you first need attack my ISP's name
servers (Spoofing complicates this - but if your ISP is good
this probably isn't a problem).

Performance: DNS resolution via forwarders can be faster.

If, like me, your ISP supports 100,000's of dial customers
using their DNS servers, and the machines still respond
quickly, then you can safely assume that many requests will
be met from the DNS servers cache. 

If your ISP is a lot smaller, or you even have the inkling
that their DNS servers may run slowly when at peak load,
just forget forwarding to them.

Now if you want "security" and "performance" you just
forward.

If you want "performance" you "forward first", so as to
improve reliability.

If you want "reliability" and "consistency in response" you
just do a plain vanilla DNS install and use the root name
servers.

Consider a lot of the DNS experts in this group have seen a
lot of bad configurations resulting from the over use of
forwarders. Forwarding makes troubleshooting harder.

For performance we are talking about routinely looking up
lots of different DNS records, such as some firewall or web
log processing tools do, or possibly some sorts of mailing
list handling, or perhaps robots that are indexing or
scanning the Internet. Most sites don't have this kind of
DNS lookup pattern and so gain far less in performance from
using forwarders.

I've documented the performance gains of using forwarding to
my ISP's DNS over a 64Kbps link to the Internet, and the
resulting speed up whilst processing arbitary lists of
domain names are quite significant - certainly compared to
the overall DNS lookup time. It is reasonable to assume
these benefits would decline if I had a faster Internet
connection, or a smaller, less capable ISP.

So having made the pro-forwarding arguments again - lets
summarise as;

Most people want a reliable DNS, which is easy to
troubleshoot, so most people don't want to use forwarding.
 
..Snip..
 
> A related question: does the use of "query-source address * port 53"
> impact the above decision?  If so, how?

No, it doesn't impact the decision, although it might reveal
someone in need of a better firewall *;-)

-- 
Simon Waters
Are you using the Internet to best effect ?
www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking issues at
news:uk.business.telework


More information about the bind-users mailing list