Recursion question + trust?
jack brack
jack.brack at inbox.com
Mon Mar 27 14:43:22 UTC 2006
[cut]
>> If this is true, how can I possibly guard against it (without allowing
>> custom
>> ers to poison the dns)?
>> What do (or maybe "should" is better word) big ISPs do?
>
> You set your access controls appropriately so only the
> recusive-clients can see the cache. Block queries at
> the options level and allow them at the zone level.
>
> acl recusive-clients { .... };
>
> options {
> allow-recusion { recusive-clients; };
> allow-query { recusive-clients; };
> };
>
> zone example.com {
> ....
> allow-query { any; };
> };
Thanks for this. Can I just check that I have understood?
By disallowing a query under "options", but allowing it under "zone", I am telling bind not to serve requests from the cache?
How does this prevent other users of the cache (the customers)? i.e. if a customer decides to poison the dns cache for the isp, how does it prevent other customers being affected?
The customers are the ones that are paying, so I want to protected them more.
>
> If the domain registrar was doing their job they would be
> checking that the zone was being served by your servers
> before allowing the registration changes to proceed.
>
> i.e.
> that they get two authoritative answers for the zone
> with non-zero ttls from each of the servers.
>
> If they did the checks then the above scam wouldn't work.
> It would also catch lots of silly configuration errors
> leading to a more reliable DNS.
>
> Similarly the registry should be demanding that the above
> checks are being performed. Some registries do this but
> not all.
Thanks for this.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list