DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
Ray Bellis
ray at isc.org
Tue Jan 4 21:23:26 UTC 2022
On 04/01/2022 21:12, Grant Taylor via bind-users wrote:
> Yep. This is where I have settled. But I don't feel I can defend
> it when asked. Hence my seeking to better understand.
There are categories of bugs that specifically affect recursion, and in
BIND these are _much_ more common than those that affect authoritative
service. Adding auth service barely touches the attack surface.
And with BIND's separation between authoritative and recursively cached
trees there is (AFAIK) no risk of cache pollution affecting the
authoritative data.
Furthermore, having the auth data for your own zones present there
actually ensures that your own zones' data:
1. will always be served in preference to cached data
2. will be fresher (i.e. not subject to TTLs) assuming that
NOTIFYs and/or a short SOA refresh is in place
3. will be present if access to the authoritatives is lost
for some period of time (/me waves at Facebook!)
I really can't see any downside.
Ray
More information about the bind-users
mailing list