Inline comments... > I believe it will depend on the configuration of your internal DNS > server(s). > > As I understand it (it has been a little while), your DNS server > has a choice of making the request on the workstation's behalf, and > sendding back the response when it arrives, or telling the > workstation to re-issue the request to some other (specified) server. > I believe DNS terminology calls these two behaviours "forwarding" > and "referring", respectively.
The behavior of the DNS server is determined by the type of query (recursive or iterative). Clients issue recursive queries unless a specific application is configured to issue iterative queries. You may be thinking of how DNS servers will interact with *each other*. A DNS server can issue either recursive or iterative queries to another DNS server depending on its configuration. However, DNS servers do not respond to recursive queries (client computers) with referrals to other DNS servers. They respond with success or failure. > > Obviously, telling the workstation to re-issue the request is less > work for the local server, and may avoid some time-out issues. Configuring the DNS server with forwarders, which in most default configurations sets the DNS server to issue recursive queries to another DNS server, lessens the workload on that DNS server as another DNS server does the "walking" for it. This is not how client configuration typically works, however. If you run a packet trace from a client machine and the client machine is configured with a DNS server that uses forwarders, you will see only the end result of the query coming from the first DNS server to the client, not redirection responses coming to the client. If you run a packet trace from the first (usually internal) DNS server, you will see the same results if it is configured with a forwarder. However, if the internal DNS server does its own querying (issues iterative queries), you will see responses coming back from servers from the root down with referrals to other DNS servers that are authoritative for the domain in question. > However, besides the traffic which you report (which might also > have come from other causes, such as some versions of traceroute...), > this also means allowing any workstation to send out ranom UDP > traffic on port 53, even if it's NOT DNS queries. It could, for > instance, be DDoS traffic from compromised internal machines. My guess would be that the traffic in question is, indeed, not coming to the client as a result of DNS queries. > > So *my* preference -- given a choice -- is to allow UDP queries of > external DNS servers only from the internal DNS servers, and not from > random workstations. This will prevent clients from sending queries to external DNS servers, and will prevent external DNS servers from sending resolution responses, but again, the traffic that is currently coming into those clients is much more likely to be the result of traceroutes, query responses that were sent to the external DNS server rather than an internal DNS server, or other traffic, as mentioned. Laura Robinson _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
