First off I have to explain..I’ve been doing knock offs of Shakespeare ever since I briefly caught the interview of Denzel Washington on GMA in his role of Brutus in Julius Caesar on Broadway…..the “To Be or not To Be“ is from Hamlet anyway….we now return you back to the blog….

DNS …to forward or not to forward…that ’tis the questionwhether tis nobler in the mind to suffer the slings and arrows of potential DNS poisoning or to merely use root hints….. 

uh…sorry…where was I?  Oh yeah

Muffy in the newsgroups indicates that when she ran the Connect to internet wizard that she ‘did not’ put in any ISP’s DNS entries in there where the wizard indicated and the network is resolving to the Internet just fine.  Is this okay, she asks?

And yes, indeed as is showcased here it is truly not necessary to put in ISP forwarders…as the built in DNS root hints pick up the ball and just work.

In fact, many are now arguing that we should ‘not’ put in DNS forwarders anymore due to DNS poisoning attacks.  The only thing I have seen that we need sometimes is adjustments to EDNS0 support evidence by not being able to get to some websites.

So next time you are playing around with your test server… try taking out those forwarders…see what happens… you’ll probably find like Muffy did that everything magically still works just fine.

P.S.  Check out Eric’s comments for some items to think about when choosing between forwarding or no forwarding.


3 Responses to DNS …to forward or not to forward…that ’tis the question

  1. There isn’t a clear "right answer" here IMHO. If you use forwarders, you rely on the upstream DNS server to not get poisoned. But you also get the benefits of performance….less bandwidth you need to use, less time to go out and talk to a root server then work your way "down the chain" so to speak.

    It’s all about faith to some degree. If you consider that some % of your traffic is traveling unencrypted over the wire to that ISP, perhaps you already have some faith in them, and trust them for DNS. Perhaps you encrypt everything, and never trust your ISP. Perhaps you are just about protecting what you can, and see this as another step, even though you trust them for other things here.

    No right answers here….just a lot of people that like to disagree. 🙂

  2. David Schrag says:

    Funny you should bring this up now. There seems to be a major problem lately with SBSers who are using Verizon’s DNS servers as forwarders (at least in the Boston area). Clearing the forwarder information off the SBS box seems to resolve the problem. I would urge anyone (especially Verizon customers) who is having trouble resolving names (but no trouble pinging by IP address) to try removing the forwarders to see if that fixes it.

  3. Karina says:

    Schwarzbrot macht Wangen rot, Weissbrot macht Leute tot.