[Full-disclosure] DNS forward only: why does it help?

[Florian Weimer]

* Paul Szabo:

> As a workaround, it is recommended to set DNS servers to forward only.
> Can someone explain why that helps?

It helps if the network between recursor and forwarder is trusted.  If
it's not, the attacker must still obtain the IP addresses involved and
the forwarder source port, which doesn't immediately leak to the
attacker.  So automated attacks are somewhat less likely.