Poisoning "External" Cache with "Internal" Info

Crist J. Clark cjc at blossom.cjclark.org
Fri Jul 30 23:21:44 UTC 2004 

I'm having some problems that involve poisoning my own cache
with data from an internal zone.

I'll warn you right now, this setup is a kludge on top of some
other kludges. I have a DNS server that provides services to
internal clients, server A.internal.example.com. It sees (well,
it'supposed to) the Internet root servers for recursive queries,
plus it has a heap of internal zones for which it is authorative.
It is a master of some, a slave for others, and even is configured
to forward a zone (which is where the trouble begins).

The forwarded zone is being forwarded through an even "more
internal" DNS server, server B.way-internal.example.com This more
internal server does NOT use the Internet roots. It has been told
that it is authorative for ..

The problem is that when our server A.internal.example.com
forwards a query for this zone, example.ca,

  example.ca	IN	ANY

To B.way-internal.example.com, B replies like so,

  ;; ANSWER SECTION:
  example.ca.		3600	IN	MX	10 mail.example.ca
  example.ca		3600	IN	MX	10.10.10.10

  ;; AUTHORITY SECTION:
  ca.			86400	IN	NS	b.way-internal.example.com.

  ;; ADDITIONAL SECTION:
  mail.example.com.	3600	IN	A	10.10.10.11
  b.way-internal.example.com. 3600 IN	A	10.10.10.5

And now A.internal.example.com will actually believe that authority
information about the ca. TLD until it expires. Sorry, Canada, you
just dropped off the Internet as far as our Internet DNS can see.

Some additional, ugly, information. I cannot just do another slave
zone with this. B.way-internal.example.com is _also_ forwarding
this zone, and I really cannot change that. Getting that forwarding
to all work is why I needed to add records to make it authorative
for ca. in the first place. (With no ca. zone, I was getting a
SERVFAIL.)

There are so many things wrong with this setup, but I don't see
a better way. The basic drivers here are that the DNS server
that is authorative for example.ca will not do zone transfers,
thus I am forced to use forwarding. Second, A.internal.example.com
does not have access to that authorative server due to firewall
policies thus requiring that extra hop through B.way-internal.
Any ideas on how to get info on example.ca to A without poisining
my cache?
-- 
Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org

More information about the bind-users mailing list