On Thu, 2004-11-18 at 07:32, Peter Marshall wrote:
> I am sure this is a stupid question ...but I will ask anyway. Should I be
> allowing my dns server (in my dmz) connect to root servers ? At the moment
> it is being bloced, and the only thing it can connect to is my ISP's DNS
> server. Basically, my dns server serves requests for servers in my dmz for
> my internal users. If it can't find the hit, it passs the request on to my
> ISP's ... I am trying to clean up my firewall logs, and noticed that the DNS
> server is always trying to query root servers. I was just not sure if this
> should be allowed. If it is not, (and I suspect there is no need to) Is
> there a way to make my DNS server stop quering the root servers ?
>
> PS DNS is a rh9 box running bind.
oops...apparently CTRL+ENTER sends a message in evolution before you're
done typing--sorry about that last message...
if you're specifying:
forwarders {
x.x.x.x;
x.x.x.x;
};
forward only;
then your DNS server should not be falling back to the root servers if
your ISP's servers don't have the answer. the drawback is--if your
ISP's servers don't have the answer--your clients will get a negative
response, which usually isn't what you want.
i normally specify:
forwarders {
x.x.x.x;
x.x.x.x;
};
forward first;
and in that case--you need to allow the DNS server out to any IP on port
53, not just to the root servers (the root servers do not provide
recursion).
-j
--
"Dear Baby, Welcome to Dumpsville. Population: You"
--The Simpsons
