Forwarders and Firewalls
The Slave Server/Caching-only forwarder
combination is very helpful in protecting your intranet zone data. We can use this combination to prevent users on the other side of a
firewall from having access to information on our internal DNS Server.
For example, at tacteam.net we have an internal
DNS server we use to resolve DNS requests for resources inside of our corporate
environment. As long as the requests are for only hosts in our internal network,
DNS requests represent no security risk. However, what happens when users on the
internal network need to access resources on the Internet?
What happens when one of our users wants to go to
www.funtimes.com?
When the recursive request hits our internal DNS server (which is authoritative
for only tacteam.net), what does the server do? It begins to issue iterative
queries to other DNS servers on the Internet in order to resolve the Internet
host name. In the process, Internet DNS servers must send their responses
directly to our Internal DNS machine through the firewall. The firewall must
have the DNS ports open to Internet users in order for DNS responses to be send
to our internal server. This exposes our
internal DNS server, its zone data, and the nature of our requests to users on
the Internet. How can we avoid this potentially dangerous situation?
The Solution
We can place a caching-only forwarder on the
outside of a firewall and configure our internal DNS server to be a slave
server. Now when one of our clients issues a name resolution request for an
Internet host to our internal DNS server, the internal server will forward the
request to the forwarder on the outside of the firewall. The forwarder will
attempt to resolve the host name to an IP address. If successful, it will return
the IP address to our internal DNS server, who will in turn return the IP
address to the client that issued the request. If the forwarder is unsuccessful,
it will report that to our internal server, who will report to the client that
the host was not found. Our internal slave server will NOT attempt to resolve
the host name itself. The slave then returns what the forward told it to the DNS
client and the query fails.
At no time does an Internet DNS server attempt to
send a response directly to our Internal server when we use the slave server/Caching only forwarder combination.
The firewall is configured to allow outbound and inbound messages only to and
from the forwarder. In this way, our internal zone
records are safe.