DNS forwarding at the firewall (2nd try, slightly revised)

[John McDermott <jjm () jkintl com>]

[I posted this last evening, but have not seen it on the list.

All,
I was recently discussing what one might do when forwarding DNS through a 
firewall.  [ I know about the issues of using a non-transparent proxy, etc,
but that is not the issue here.]  My question is where to point the 
firewall to resolve internal forwarded queries if there is no external DNS.

For example if internal host foo.local.net asks for www.external.com, 
should the firewall forward the query directly to a root server or should 
it forward the query to, for example, the ISP's cacheing server? 

My thought has always been to forward to the local cacheing server to take 
load off the root servers (in the example above, surely the info for an 
appropriate .com server is cached in the ISP's server).  I have also been 
told recently that all firewalls should forward to the root server.

What are your feelings on this, and is there some sort of definitive 
recommendation?  I checked the firewalls FAQ and the DNS FAQ and I could 
not find a "best practices" recommendation in either.  Maybe this has not 
been addressed by the FAQs or maybe I have old versions.

Thanks,
--john
-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------