Back To Basics: DNS Server Roles -- Caching-only Servers Page 3

Thomas Shinder

Forwarders and Firewalls

The Slave Server/Caching-only forwarder combination is very helpful in protecting your intranet zone data. We can use this combination to prevent users on the other side of a firewall from having access to information on our internal DNS Server.

For example, at tacteam.net we have an internal DNS server we use to resolve DNS requests for resources inside of our corporate environment. As long as the requests are for only hosts in our internal network, DNS requests represent no security risk. However, what happens when users on the internal network need to access resources on the Internet?

What happens when one of our users wants to go to www.funtimes.com? When the recursive request hits our internal DNS server (which is authoritative for only tacteam.net), what does the server do? It begins to issue iterative queries to other DNS servers on the Internet in order to resolve the Internet host name. In the process, Internet DNS servers must send their responses directly to our Internal DNS machine through the firewall. The firewall must have the DNS ports open to Internet users in order for DNS responses to be send to our internal server. This exposes our internal DNS server, its zone data, and the nature of our requests to users on the Internet. How can we avoid this potentially dangerous situation?

The Solution

We can place a caching-only forwarder on the outside of a firewall and configure our internal DNS server to be a slave server. Now when one of our clients issues a name resolution request for an Internet host to our internal DNS server, the internal server will forward the request to the forwarder on the outside of the firewall. The forwarder will attempt to resolve the host name to an IP address. If successful, it will return the IP address to our internal DNS server, who will in turn return the IP address to the client that issued the request. If the forwarder is unsuccessful, it will report that to our internal server, who will report to the client that the host was not found. Our internal slave server will NOT attempt to resolve the host name itself. The slave then returns what the forward told it to the DNS client and the query fails.

At no time does an Internet DNS server attempt to send a response directly to our Internal server when we use the slave server/Caching only forwarder combination. The firewall is configured to allow outbound and inbound messages only to and from the forwarder.  In this way, our internal zone records are safe. 

This article was originally published on Sep 26, 2000
Page 3 of 4

Thanks for your registration, follow us on our social networks to keep up-to-date