Recursion question + trust?

Mark Andrews Mark_Andrews at isc.org
Mon Mar 27 21:08:24 UTC 2006 

> [cut]
> >> If this is true, how can I possibly guard against it (without allowing
> >> custom
> >> ers to poison the dns)?
> >> What do (or maybe "should" is better word) big ISPs do?
> > 
> > 	You set your access controls appropriately so only the
> > 	recusive-clients can see the cache.  Block queries at
> > 	the options level and allow them at the zone level.
> > 
> > 		acl recusive-clients { .... };
> > 
> > 		options {
> > 			allow-recusion { recusive-clients; };
> > 			allow-query { recusive-clients; };
> > 		};
> > 
> > 		zone example.com {
> > 			....
> > 			allow-query { any; };
> > 		};
> 
> Thanks for this. Can I just check that I have understood?
> By disallowing a query under "options", but allowing it under "zone", I am te
> lling bind not to serve requests from the cache?
> 
> How does this prevent other users of the cache (the customers)? i.e. if a cus
> tomer decides to poison the dns cache for the isp, how does it prevent other 
> customers being affected?
> The customers are the ones that are paying, so I want to protected them more.

	There is nothing you can do to prevent a customer from
	preloading the cache.  Note this is not cache poisioning.
	Cache poisioning is getting the cache to believe records
	that don't exist.

	What you showed was just plain cache abuse.  The records
	existed at some point.

> > 	If the domain registrar was doing their job they would be
> > 	checking that the zone was being served by your servers
> > 	before allowing the registration changes to proceed.
> > 
> > 	i.e.
> > 	     that they get two authoritative answers for the zone
> > 	with non-zero ttls from each of the servers.
> > 
> > 	If they did the checks then the above scam wouldn't work.
> > 	It would also catch lots of silly configuration errors
> > 	leading to a more reliable DNS.
> > 
> > 	Similarly the registry should be demanding that the above
> > 	checks are being performed.  Some registries do this but
> > 	not all.
> 
> Thanks for this.
> 
> > 
> > 	Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list