Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Should I use DNS forwarders?

3 views
Skip to first unread message

b1naryman

unread,
Oct 4, 2006, 6:01:01 PM10/4/06
to
DNS works fine without using upstream forwarding. What am I missing here? -
Thanks

Herb Martin

unread,
Oct 5, 2006, 12:24:14 PM10/5/06
to
"b1naryman" <b1na...@discussions.microsoft.com> wrote in message
news:DD607416-1E3A-4360...@microsoft.com...

> DNS works fine without using upstream forwarding. What am I missing
> here? -
> Thanks

In general, forwarding is a GOOD thing even when not
made mandatory by firewalls.

There are TWO primary reasons for using forwarders:

1) Security
2) Performance/bandwidth conservation

So you MUST use forwarding when your firewalls or
corporate security policy forbids internal DNS servers
from visiting the Internet and you can benefit when the
WANS layout makes the forwarder more efficient.

1) Security is enhance if you use a public forwarder instead of
your usually sensitive INTERNAL DNS Servers (which usually
are DCs in a Windows Domain environment -- do you really
want your internal servers visiting the ENTIRE Internet, including
places like "ReallyEvilHackers.com"?

Your Security policy -- either actual FIREWALL RULES or just
an agreed policy should prevent those internal servers from
visiting the Internet for all but the most essential tasks (e.g.,
updating at Microsoft perhaps.)

2) Performance is enhanced if the Forwarder has the needed
record in cache, and this likelyhood increases as that forwarder
has more clients and other DNS servers forwarding to it (a
single DNS forwarder can service your Internet lookups for ALL
of the internal DNS servers so that the "cache is consolidated",
while an ISPs DNS server -- especially a large ISP -- can
consolidate cache from hundreds of other DNS servers or even
thousands.)

Reducing bandwidth usage on the WAN is done by using that
consolidated cache on a single (or small number) of your
own DNS servers OR by forwarding a single message to
across the WAN to a DNS server that is "closer to the backbone"
and which then makes what might be MULTIPLE requests to
service what is essentially a single question (i.e., recursing.)

This latter not reduces bandwidth usage but can enhance
performance since those multiple requests and responses
don't have to travel back over the WAN but can be handled
by the server in the "best position" relative to the Internet.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


b1naryman

unread,
Oct 5, 2006, 1:46:02 PM10/5/06
to
Thanks for your response Herb. I have a DNS proxy on my firewall, so I'm less
concerned about security. As for performance and bandwidth conservation, I'm
not seeing the adavantage. I wrote a simple script that blasts DNS querys to
a long list of domains. Using my ISP's DNS servers as forwarders, I get some
lookup failures. When I remove the forwarders, I get no timeouts. The ISP
claims there is nothing wrong with their DNS servers, but I have no way to
prove that. If I use public DNS servers as my forwarders, performance is even
worse.

Herb Martin

unread,
Oct 5, 2006, 4:04:12 PM10/5/06
to
"b1naryman" <b1na...@discussions.microsoft.com> wrote in message
news:45777FDF-DE92-40F7...@microsoft.com...

> Thanks for your response Herb. I have a DNS proxy on my firewall, so I'm
> less
> concerned about security.

Why? If you let the DC ask questions through that Proxy then
presumably it has to RECEIVE the answers (from EvilHackers.com).

Suppose there were a bug (or a feature, since there is one such)
that a hacker could exploit by loading the return packet a certain
way....

Most such DNS Proxy (firewall/gateways) can instead serve
as a "DNS Caching only server" and that is the far better choice.

If so, you really should FORWARD to that Firewall instead of
proxying through it.

Whether the Firewall DNS Caching only server forwards to the
ISP or does the recursion itself is a separate choice.

> As for performance and bandwidth conservation, I'm
> not seeing the adavantage. I wrote a simple script that blasts DNS querys
> to
> a long list of domains. Using my ISP's DNS servers as forwarders, I get
> some
> lookup failures.

I didn't mention that there are some negatives to forwarding
to the ISP if you ISP runs crappy DNS servers (but in that
case I would actually find a new ISP if possible anyway.)

If you forward to your firewall you get many of the advantages
(especially security and some of the efficiency) without having
to deal with the ISP's bad DNS servers.

[BTW: You asked for Forwarding advantages but neglected
to mention that you had tried it with a crappy ISP which would
have saved us both time as I could have pointed out the specifics
in the first message. <Grin>]

> When I remove the forwarders, I get no timeouts. The ISP
> claims there is nothing wrong with their DNS servers, but I have no way to
> prove that. If I use public DNS servers as my forwarders, performance is
> even
> worse.

Public DNS servers? You really have no business using any
DNS servers as forwarders except your own or your ISP's
(except in limited troubleshooting or very temporary situations).
It's considered very rude.

0 new messages