BIND, forwarding and firewalls (long)

[Steve.Bleazard () wdr com]

     All
     
     Folowing on from the recent BIND discussion I have been looking at 
     some of the issues that exist with using the current bind (8.1.2) on a 
     firewall:
           
     1.  In a firewall environment it is often the case that requests must 
     be forwarded to different servers depending on the domain.  The BIND 
     TODO mentions zone based forwarding but does not expand.  The model 
     that seems to best fit is one in which a new zone type of 'forward' is 
     implemented which forwards all requests for that zone to specified 
     servers.
     
     2.  It is usually the case that only the firewall has access to 
     exteral nameservers and "internal" machines must use the nameserver on 
     the firewall to resolve addresses.   In this case non-recursive 
     queries do not make any sense.  Unfortunately it is not always 
     possible to be sure that all requests will have the rd bit set.  To 
     resolve this issue it appears desirable to globally force BIND to 
     treat all requests as being recursive.
     
     3.  If internal machines have no access to external nameservers then 
     returning information in the authoratitive and additional resource 
     sections of the reply does not make sense.  In fact, including this 
     information may break name resolution if an internal nameserver 
     without access to external nameservers is involved. To solve this 
     problem it would be desirable to have a way of controlling the 
     inclusion of this information, preferably on a per-zone basis.
     
     4.  Caching can also cause problems where vendors are using the 
     nameserver to handle load balancing and redundancy.  Obviously the 
     correct way to do this is to specify a low (0?) TTL thus rapidly 
     expiring cache entry.  However, broken implementations can fail to do 
     this.  As a result per zone control of caching would be useful.
     
     I would be interested in any comments on these issues.  
     
     Experimentally, I have developed patches to reslove the first three of 
     these, the following details the implementation.
     
     1.  Zone forewarding.  I have added a new zone type 'forward' that 
     expects a 'forwarders' zone option specifying where to forward 
     requests for names in the specified zone.  Thus,
     
        zone "foo.com" in {
                type forward;
                forwarders { 1.2.3.4; 5.6.7.8; };
        };
     
     Will forward requests for names in the foo.com to 1.2.3.4 and 5.6.7.8. 
     The implementation uses the same mechanism as the global forwarders 
     option.
     
     2.  Recursion.  The recurse global option now handles an extra value 
     of 'always' which forces BIND to assumes all queries are recursive.
     
     3.  Replies with information in the authoratitive and additional 
     sections.  A new global and zone specific option has been added: 
     'reply-glue [yes|no]'.  Specifying an option of 'reply-glue no' 
     globally forces stripping of all authoratitive and additional records 
     while as a zone option the stripping only applies to requests serviced 
     by the zone.
     
     4.  Cache control.  This is not implemented as yet but should be 
     trivial as it will use much the same internal mechanism as the zone 
     specific reply-glue.
     
     
     If anyone is interested in these mods please let me know.
     
     Steve