opie at 817west.com
Thu Nov 18 14:50:33 CET 2004
On Thu, 2004-11-18 at 07:32, Peter Marshall wrote:
> I am sure this is a stupid question ...but I will ask anyway. Should I be
> allowing my dns server (in my dmz) connect to root servers ? At the moment
> it is being bloced, and the only thing it can connect to is my ISP's DNS
> server. Basically, my dns server serves requests for servers in my dmz for
> my internal users. If it can't find the hit, it passs the request on to my
> ISP's ... I am trying to clean up my firewall logs, and noticed that the DNS
> server is always trying to query root servers. I was just not sure if this
> should be allowed. If it is not, (and I suspect there is no need to) Is
> there a way to make my DNS server stop quering the root servers ?
> PS DNS is a rh9 box running bind.
oops...apparently CTRL+ENTER sends a message in evolution before you're
done typing--sorry about that last message...
if you're specifying:
then your DNS server should not be falling back to the root servers if
your ISP's servers don't have the answer. the drawback is--if your
ISP's servers don't have the answer--your clients will get a negative
response, which usually isn't what you want.
i normally specify:
and in that case--you need to allow the DNS server out to any IP on port
53, not just to the root servers (the root servers do not provide
"Dear Baby, Welcome to Dumpsville. Population: You"
More information about the netfilter