Cache poisoning
Jeff Lightner
jlightner at water.com
Fri Jul 14 12:12:54 UTC 2006
The BIND servers I'm talking about are a master and slave we use only
for external queries to our internet facing systems and for forwards to
the root servers from the inside (internally we have Windows DNS
servers).
The question came up because our security admin ran a Nessus scan and it
indicated we're running a version of BIND susceptible to cache
poisoning. I'm going to upgrade the OS and the BIND on the servers in
question. I had asked to do this some months ago and the Nessus scan
helped me get the point across. However I was of the impression that
cache poisoning was only an issue on a caching name server and we aren't
running one. The responses you and Barry sent seem to confirm that. I
just wanted to know the urgency of doing the upgrade as approvals flow
like molasses around here.
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of David Miller
Sent: Friday, July 14, 2006 12:40 AM
To: bind-users at isc.org
Subject: Re: Cache poisoning
If you provide a caching name server(most normal corporate/public
networks do) than it can be poisoned with bad entries. One way to be
a good citizen on the net is to not allow recursion outside your
network. This way if your cache is poisoned you won't be contributing
to the problem outside your own network. It is as simple as setting
up an ACL for the subnets you control. for example.
acl "internal" { 10.1.1.0/24; };
options {
allow-recursion { internal; };
};
On Jul 13, 2006, at 10:39 AM, Jeff Lightner wrote:
> Is cache poisoning an issue for standard master/slave name servers or
> only for caching name servers?
> Jeffrey C. Lightner
> Unix Systems Administrator
> DS Waters of America, LP
> 678-486-3516
>
>
>
>
More information about the bind-users
mailing list