Fowarding Vs Root Hints

On my network , all clients connect to the internet by forwarding request through my dns server to my ISP's dns servers. Can someone please provide detailed pro's and con's of why to use forwarding for the ISP's DNS versus using the built in root hints. I am looking for security issues and privacy issues related to both options.
The man who trades freedom for security does not deserve nor will he ever receive either.

Comments

  • dynamikdynamik Posts: 12,314Banned ■■■■■■■■□□
    Unless you're doing something like forwarding DNS queries to a DNS server over a secured connection, such as a VPN, there isn't going to be more security one way or another since your ISP will still see everything you're doing. Forwarding will probably give you better performance since you will be making your ISP perform the iterative queries on your behalf, and they will likely have the vast majority of your queries cached anyway.
  • Devin McCloudDevin McCloud Posts: 133Member
    Thanks Dynamik,
    That answers part of the the question. What are the security risk of using root hints versus letting my ISP's dns server perform queries. I read some where that using root hints caused a security risk by allowing people on the internet to gain information about your internal network. I was trying to figure out whether this was accurate at all or just some misinformation I picked up googling.

    Edit: It's possible I read this for the reason to check: Do not use recursion for this domain.
    The man who trades freedom for security does not deserve nor will he ever receive either.
  • astorrsastorrs Posts: 3,139Member ■■■■■■□□□□
    Don't worry about recursion if the DNS server is only serving internal clients - well unless your fellow administrator has all your client PCs setup in a botnet and is preparing to launch a DDoS attach against your internal mail server(s)... but then you'd have bigger problems. ;)
  • Devin McCloudDevin McCloud Posts: 133Member
    Understanding forwarders: Domain Name System(DNS)

    "Without having a specific DNS server designated as a forwarder, all DNS servers can send queries outside of a network using their root hints. As a result, a lot of internal, and possibly critical, DNS information can be exposed on the Internet. In addition to this security and privacy issue, this method of resolution can result in a large volume of external traffic that is costly and inefficient for a network with a slow Internet connection or a company with high Internet service costs."

    Here's another example of Microsoft talking about the security issue.
    The man who trades freedom for security does not deserve nor will he ever receive either.
Sign In or Register to comment.