Separate auth/recursive servers for internal-only zones?

David Carmean dlc-bu at halibut.com
Mon Jan 21 03:41:53 UTC 2002 



I wanted to see if anyone on the "old list" had any more opinions
on this....

----- Forwarded message from Cricket Liu <cricket at menandmice.com> -----

From: "Cricket Liu" <cricket at menandmice.com>
To: "David Carmean" <dlc-b9 at halibut.com>,
	"Bind v9 users" <bind9-users at isc.org>
Subject: Re: Separate auth/recursive servers for internal-only zones?
Date: Thu, 17 Jan 2002 19:58:16 -0700

[ dlc wrote: ]

> I'm running some (currently BIND 8.2.3-REL) authoritative servers, 
> behind a firewall, for several internal forward and RFC-1918 domains.
> None of the domains are known from outside the firewall, but 
> there is no restriction on *outgoing* DNS queries; no central 
> forwarder(s) as a chokepoint or anything.
> 
> About a year ago, based on what I though I understood about 
> cache poisoning, I split the then-combined authoritative/recursive/
> caching nameservers in two--a non-recursive auth-only server and 
> a generally plain-jane caching-only server (with some forward zone 
> statements to keep from looking outside for RFC-1918 answers)--by 
> running two separate named instances per box.  So while the 
> caching servers were still exposed to whatever pollution could 
> be yanked in from outside, at least there was no possibility 
> of it mixing with the authoritative zone data.
> 
> Jim Reid pointed out in his LISA-2001 class that by making these 
> internal caching servers stealth-slaves for local zones, I can 
> (in theory) prevent anybody from polluting those caching servers 
> with false answers for my local zones.  Makes sense; wish I'd 
> thought of that before I made myself go out and change hundreds 
> of resolv.conf files a year ago. [0]
> 
> However, now that's got me wondering about how I'm going to 
> configure my new servers with BIND-9:  if by this trick the 
> local zone data is protected against corruption, and these 
> servers can only be queried by clients inside the firewall, 
> is there any reason not to promote the "stealth" slave to a 
> registered NS for the zone?  In effect, is there any real 
> reason for me to separate the auth and recursive servers?  
> I think I read somewhere that BIND9 uses completely 
> different memory stores for authoritative and learned data?

If any of your local zones have subzones that your caching
name servers aren't authoritative for, I suppose that someone
could mount a cache poisoning attack and induce those name
servers to cache bogus subzone data.  Then internal resolvers
using those caching name servers could then get the bogus
data.  In fact, I suppose that type of attack would work
against any internal zones the caching name servers weren't
authoritative for.  Of course, if by "local zones" you mean
all internal zones, then that's not a worry.

cricket

Men & Mice
DNS Software, Training and Consulting
www.menandmice.com

Attend our next DNS and BIND class!  See
http://www.menandmice.com/8000/8000_dns_training.html
for the schedule and to register for upcoming classes


----- End forwarded message -----

More information about the bind-users mailing list