Poisoning "External" Cache with "Internal" Info

Kevin Darcy kcd at daimlerchrysler.com
Fri Aug 6 20:53:18 UTC 2004 

Crist J. Clark wrote:

>I'm having some problems that involve poisoning my own cache
>with data from an internal zone.
>
>I'll warn you right now, this setup is a kludge on top of some
>other kludges. I have a DNS server that provides services to
>internal clients, server A.internal.example.com. It sees (well,
>it'supposed to) the Internet root servers for recursive queries,
>plus it has a heap of internal zones for which it is authorative.
>It is a master of some, a slave for others, and even is configured
>to forward a zone (which is where the trouble begins).
>
>The forwarded zone is being forwarded through an even "more
>internal" DNS server, server B.way-internal.example.com This more
>internal server does NOT use the Internet roots. It has been told
>that it is authorative for ..
>
>The problem is that when our server A.internal.example.com
>forwards a query for this zone, example.ca,
>
>  example.ca	IN	ANY
>
>To B.way-internal.example.com, B replies like so,
>
>  ;; ANSWER SECTION:
>  example.ca.		3600	IN	MX	10 mail.example.ca
>  example.ca		3600	IN	MX	10.10.10.10
>
>  ;; AUTHORITY SECTION:
>  ca.			86400	IN	NS	b.way-internal.example.com.
>
>  ;; ADDITIONAL SECTION:
>  mail.example.com.	3600	IN	A	10.10.10.11
>  b.way-internal.example.com. 3600 IN	A	10.10.10.5
>
>And now A.internal.example.com will actually believe that authority
>information about the ca. TLD until it expires. Sorry, Canada, you
>just dropped off the Internet as far as our Internet DNS can see.
>
>Some additional, ugly, information. I cannot just do another slave
>zone with this. B.way-internal.example.com is _also_ forwarding
>this zone, and I really cannot change that. Getting that forwarding
>to all work is why I needed to add records to make it authorative
>for ca. in the first place. (With no ca. zone, I was getting a
>SERVFAIL.)
>
Well, forwarding won't work without delegation (as you have discovered), 
but you can delegate any number of levels you want. You should, for 
instance, be able to delegate straight from your internal root zone to 
example.ca.

                                                                         
                        - Kevin

More information about the bind-users mailing list