DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
Grant Taylor
gtaylor at tnetconsulting.net
Mon Jan 3 17:35:04 UTC 2022
On 1/3/22 12:15 AM, Borja Marcos wrote:
> If you separate the roles it is much simpler to implement an effective
> access control.
The problem I have with separating recursive and authoritative servers
has to do with internal LANs and things like Microsoft Active Directory
on non-globally-recognized domains.
In short, how do you get a /purely/ /recursive/ server to know that
internal-corp-lan.example (or any domain not in the global DNS
hierarchy) is served by some other /purely/ /authoritative/ DNS server
inside the company?
I feel like anything you do to the /purely/ /recursive/ DNS server to
get it to know that it needs to route based on the DNS domain
information slides away from the /purely/ /recursive/ role to somewhat
/mixed/ /recursive/ & /authoritative/ role.
This niche role is the one nagging thing that I have that prevents me
from supporting and proselytizing the role separation anywhere and
everywhere. -- I've been looking for, but have not yet found, what I
consider to be a good method that maintains strict separation of roles
in this niche use case.
Note: I'm completely on board with the separate roles for public /
Internet facing servers.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220103/c31b63d7/attachment.bin>
More information about the bind-users
mailing list