Cache poisoning
Jeff Lightner
jlightner at water.com
Fri Jul 14 12:43:42 UTC 2006
Right it has hints for root servers. OK so they are caching name
servers in addition to being master/slaves if I read this correctly?
In that case will the recursion setup mentioned prevent the poisoning?
Nessus suggested I need to upgrade to later BIND 9 or earlier BIND 8.
Was there a version of BIND 9 that couldn't be fixed via such a
recursion setup?
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Barry Margolin
Sent: Friday, July 14, 2006 8:32 AM
To: comp-protocols-dns-bind at isc.org
Subject: Re: Cache poisoning
In article <e98272$2h9$1 at sf1.isc.org>,
"Jeff Lightner" <jlightner at water.com> wrote:
> The BIND servers I'm talking about are a master and slave we use only
> for external queries to our internet facing systems and for forwards
to
> the root servers from the inside (internally we have Windows DNS
> servers).
>
> The question came up because our security admin ran a Nessus scan and
it
> indicated we're running a version of BIND susceptible to cache
> poisoning. I'm going to upgrade the OS and the BIND on the servers in
> question. I had asked to do this some months ago and the Nessus scan
> helped me get the point across. However I was of the impression that
> cache poisoning was only an issue on a caching name server and we
aren't
> running one. The responses you and Barry sent seem to confirm that.
I
> just wanted to know the urgency of doing the upgrade as approvals flow
> like molasses around here.
What do you mean by "forwards to the root servers from the inside"? You
can't really use the root servers as forwarders, so I assume you mean it
has root hints configured, and uses this to look up outside domains on
behalf of queries coming from inside. This *is* a caching name server.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list