DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
Danilo Godec
danilo.godec at agenda.si
Wed Dec 29 10:30:26 UTC 2021
Hello,
I have an authoritative DNS server for a domain, but I was also going to
use the same server as a recursive DNS for my internal network, limiting
recursion by the IP. Apparently, this is a bad idea that can lead to
cache poisoning...
After watching a Computerphile Youtube video
(https://www.youtube.com/watch?v=7MT1F0O3_Yw) on that topic I have a
rough understanding of how cache poisoning works, but it doesn't explain
why limiting recursion to 'trusted' IP networks doesn't help.
Is it because with UDP IP's can be 'easily' spoofed and if someone
guessed my internal network IPs and spoofed the IP, my DNS server would
happily accept their requests? Or is it even wider than that?
Danilo
More information about the bind-users
mailing list