DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
Tony Finch
dot at dotat.at
Wed Dec 29 17:49:59 UTC 2021
Danilo Godec via bind-users <bind-users at lists.isc.org> wrote:
>
> I have an authoritative DNS server for a domain, but I was also going to
> use the same server as a recursive DNS for my internal network, limiting
> recursion by the IP. Apparently, this is a bad idea that can lead to
> cache poisoning...
Sort of. It's complicated.
Of course DNSSEC can prevent cache poisoning, but there is more to this
particular question.
In older DNS software (BIND 8 and before) there was not much separation
between the recursive cache and authoritative data. It was possible for
recursive clients to get data into the cache that could leak into
authoritative responses, e.g. glue addresses, and addresses of CNAME or MX
targets that pointed out-of-zone. This could lead to cache poisoning of
other recursive servers, especially those that trusted additional data too
much (before RFC 2181).
BIND 9 keeps its authoritative and recursive data more separate. As a user
you can see this in the ACL options, allow-recursion, allow-query-cache,
etc. It is possible to configure BIND 9 so that remote clients see an
authoritative-only view, and local clients have access to a recursive
view, but it isn't entirely straightforward. Best practice is still to
configure servers that appeaar in NS records to be authoritative-only.
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
Trafalgar: Variable 4 or less, but southerly 5 or 6 in northwest.
Moderate or rough in southeast, rough or very rough in northwest. Fog
patches. Moderate or good, occasionally very poor.
More information about the bind-users
mailing list