Best Practices for Forwarded DNS Queries

  • Thread starter Thread starter Moondoggy
  • Start date Start date
M

Moondoggy

For several years now we have had our internal DNS servers forward queries
for non-hosted zones to our ISP's forwarder servers. At the time we set this
up we were told by someone (can't remember who) that this was a "best
practice" to forward to an ISP's forwarder server vs. sending queries to the
root servers for name resoution. Now, we have purchased internet services
from some sort of bulk provider and our old ISP wants us to stop forwarding
queries to their forwarder servers but the bulk provider does not have their
own forwarder server. When contacted about the situation, the bulk provider
is suggesting that we were told wrong and the real best practice is to
forward external zone queries to the roots. Can anyone weigh in on this
issue and perhaps point me to some sort of document that spells out the true
best practice?
 
Mike,

Thanks for the reply.

I've actually had several people mention OpenDNS to me but I need a bit more
enlightenment regarding how this works as I was on their site a few minutes
ago and found the following blurb regarding their "Free" service:

"People frequently ask us how we can offer such a fantastic service without
charging a dime. OpenDNS makes money the same way Google and Yahoo do — by
showing relevant ads when we show you search results."

So in their instructions it says that all I have to do to use their service
is change the IP addresses for my forwarder but if that's true, where does
the showing of relevant ads occur? Is this the kind of deal where you're
taken to an alternate search page with ads if you fat finger the URL?

If you or anyone else has information on this let me know. I'm still
curious about the "Best Practices" question of using Forwarders vs. Root
Hints so if anyone has any information let me know.
So my question is...If I'm an enterprise user it says that all I have to do
is point my DNS forwarders to the two IP addresses they have specified. If I
do that, how are they delivering the "relevant ads"?
 
Is this the kind of deal where you're taken to an alternate search page
with ads if you fat finger the URL?

Yes - with your logo if you prefer. What I like the most is the free content
filtering.
 
Mike,

Thanks for the feedback but yet another question. Someone else that replied
to another post on another forum suggested OpenDNS as well but I seem to get
the impression from him that there was some way (paid service???) that you
could somehow disable this feature. Even in your post you mentioned that the
search page can have our corporate logo on it and this confuses me a bit as I
don't understand how it is that their instructions tell you to simply change
out your existing forwarder IP address with theirs and your done. There's
something that I appear to be missiing on how everyone is handling all this
customization. Can you enlighten me some more?

Thanks.
 
Kurt,

Thanks for the reply.

OK....I'm going back to my original question.....Regardless of whether you
use a forwarder service like OpenDNS for name resolutions from a corporate
DNS, is anyone aware of what the "Best"or "Approved" practice is?

I've received a lot of repies on different forum sites suggesting that
OpenDNS is a great solution if you want to use a forwarder but it's also been
suggested by a Microsoft MVP that forwarders should not be used in a
corporate setting and that he always recommends going to the roots instead.
In the MVP's discussion of the issue he provided stong reasoning why going to
the roots was better but I didn't necessarily get that warm fuzzy feeling
that this was an Internet "Best" or "Approved" practice for large
corporations.

From all that I've been able to gather all week both methods work and both
have their pos and cons but does anyone really care which method is used?
 
Just a quick update:

I sent mail to ICANN.ORG asking the same question I have had posted on this
forum. Here is the response I got back from the Manager, Root Zone Services
Internet Assigned Numbers Authority via ICANN:

"We don't have a specific reference to a "best practice", but there is no
problem for you setting up your own recursive name server rather than using a
forwarder. All we recommend is that you take steps to make sure your root
hints file is kept up to date — and as long as you use a package like BIND
and regularly update it they should automatically provide you with updated
hints files. Alternatively, you can download it from
http://www.internic.net/zones/named.root"
 
I would recommend being cautious, choosing forwarders, remember your DNS
will ask anything they do not authoritative for to the forwarders DNS
servers. I am not saying open DNS is less secure than any other ISP DNS
servers (- :
All I am saying is choosing forwarders needs attention. Sometimes your ISP
DNS servers will be faster than open DNS servers, just try it out to
evaluate both


Oz
Oz Casey Dedeal

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

http://smtp25.blogspot.com (Blog)
 
Back
Top