DNS cache poisoning - am I safe if I limit recursion to trusted local networks?

[Borja Marcos]

> On 30 Dec 2021, at 09:07, Danilo Godec via bind-users <bind-users at lists.isc.org> wrote:
> 
> The source is a security audit report, claiming that using a single server for both authoritative (for public use) and recursive (limited to internal clients by means of 'allow-recursion' directive) roles increases the risk of DoS attacks and DNS cache poisoning... They mentioned CVE-2021-20322 that supposedly makes cache poisoning feasible (again) - that made them increase the concern level to a 'medium'.
> 
> 
> While I understand how and why DoS and cache poisoning are bad, I don't understand how separating these two roles would help mitigate the risk.

Well, it’s certainly best practice to separate the roles.

First and foremost: If you separate the roles it is much simpler to implement an effective access control. You can
completely disable requests to a recursive DNS server using traffic filtering. If you implement both network filtering and BIND access
lists an exploitation would require two mechanisms to fail/be buggy.

Assuming that you are using dual role servers, imagine that a bug that allows cache poisoning by crafting requests in some way is discovered. If you
are separating roles exploitation will be harder/less likely. 

Note that traffic filtering to a recursive DNS server is trickier than it seems. You also need to filter out spoofed requests at the network edge
or it would be possible to use your own DNS server(s) to launch DoS attacks against your own users.

Cheers,




Borja.