While looking at some records in my firewall I noticed that I had an address that was consistently pinging googles dns servers. After checking my domain controllers I noticed they had forwarders pointing to googles dns. I'm wondering if these forwarders are necessary especially since my firewall has a primary and secondary dns address in it.
Asked
Active
Viewed 939 times
0
-
3You're the only one that can determine if that entry needs to be there. – EEAA Aug 28 '15 at 21:37
-
It's up to you to decide – if you don't have forwarders on your DCs, then they'll have to query the root DNS servers directly. Your firewall's configuration doesn't necessarily determine what DNS settings your DCs and your client machines are using. – fission Aug 29 '15 at 04:09
1 Answers
2
It's an interesting question.
How you set up DNS depends in large part on your preferences. It gives you a lot of options.
You can use Google's resolvers as forwarders (or other resolvers like the one your ISP probably provides for you) if you want. When you do this, you give them knowledge of what domains you are looking up and trust them to provide accurate information. DNSSEC makes the trust part less of an issue but deployment is incomplete.
You can have your domain controllers use an external DNS server (like the one in your firewall) as a forwarder if you want. This is only a load issue in very large networks, but there is probably also no reason to do it.
You can also set up your own recursing resolver that uses the root servers to query delegations and look up the domains on its own (doing essentially what Google's resolvers do for you) and then not use any forwarders at all; you could do this on your domain controllers, or set up a DNS server just for that. This is the most trustworthy and private way, but it introduces security constraints (you must mitigate DNSa attacks with an ACL, generally) and has more of a performance and bandwidth cost.
It's up to you!
Falcon Momot
- 25,244
- 15
- 63
- 92