DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
Grant Taylor
gtaylor at tnetconsulting.net
Tue Jan 4 21:12:05 UTC 2022
On 1/4/22 4:37 AM, Ray Bellis wrote:
> Better yet, use BIND's mirror zones feature so that the zone is also
> DNSSEC validated.
Completely agreed. I think the type of authoritative information is
somewhat independent of the fact that any authoritative information exists.
> IMHO, the strictures against running authoritative and recursive on the
> same server seem to get mis-applied a lot of the time. I think it's
> perfectly fine for an *internal* recursive server to also hold
> authoritative copies of your own zones.
Yep. This is where I have settled. But I don't feel I can defend it
when asked. Hence my seeking to better understand.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220104/38416e88/attachment.bin>
More information about the bind-users
mailing list