Forwarders & Firewall Ports

  • Thread starter Thread starter Tony Walecka
  • Start date Start date
T

Tony Walecka

We are setting up Win2k DNS servers hidden behind the
firewall for our internal network. They will resolve
addresses for all of our internal clients AD & DNS.

The questions are:

If we don't open port 53 for the internal DNS servers so
they can query external DNS servers for external
addresses themselves (something we don't think we want to
do) will we have to use forwarders?

What tcp/udp ports will the forward queries use so we can
make sure the firewall is configured properly if we use
forwarders?

If forwarders are used will the internal DNS servers
update their cache to include frequently visited
addresses or will forwarders be used over and over for
any addresses not in the internal ZONE?

Thanks
 
upd and tcp port 53. Allow the internal dns server to query dest port 53
for your ISPs DNS server(s). Also allow the reply (this is usually allowed
by the statefulness of the router.) Will you also have public zones for
external folks to query?
 
Yes, we have external zones for the public folks, but our
issue is internal resolution.

Do you mean we need udp/tcp 53 for the forwarder scenario?
If we open up port 53 why wouldn't we just let the DNS
servers themselves (we don't have bandwidth problems)

Basically, our quandry is -- performance wise -- we would
rather let the DNS servers make the queries and update
their cache rather than use forwarders. However, we
aren't sure of the security rammifications. Obviously we
don't want anybody from the 'outside' seeing our internal
DNS info, but if we open udp/tcp 53 for 'outbound'
queries are we creatinng a security problem given that the
DNS server are inside our 'trusted' network?
 
Forwarding is a performance gain, not a drain, since the outside server is
doing all the work and just supplying the answer.

You'll still have to allow the response back in. I've found also that for MS
DNS, you'll unfortunately also need to allow 1024 - 65534 back in to it for
the emphereal response port. It's just the way MS DNS works.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
The difference is, if you use root-hints you have to allow outbound (and
reply) to any IP could you don't know upfront what they will be. If you use
forwarding to your DMZ server or your ISP, then you only have to open a rule
for one or two IPs and ports (i.e. the ISP Forwarders.)
 
Back
Top