Cache only and reverse mapping
John Wobus
jw354 at cornell.edu
Fri Dec 16 17:18:00 UTC 2011
On Dec 16, 2011, at 11:22 AM, sasa sasa wrote:
> I'm trying to setup a DNS for an ISP, this ISP's DNS is in
> delegation tree (answering world), and I know about cache
> vulnerabilities so I was wondering what is the best solution for ISPs?
> By separating cache from authorities, you mean implementing 2 DNSs
> (2 different IPs)? This doesn't sound practical.
Then I suspect you know all this, but...
The practicality certainly depends upon your site's situation. Many
sites have enough IPs to allocate a few more to DNS, and enough server
capacity to run more bind instances, but I imagine some don't.
Two such bind instances could be on different hardware or the same,
but two IPs would be necessary. Bind typically runs on OSes that,
without
tricks such as natting, generally support just one program listening
to a specific
port/ip. Bind's "view" feature allows a single bind instance on a
single IP to
act like a bit like two instances, offering some of the advantages of
isolating
their respective functions.
Aside from this, a bind instance can be configured not answer queries
to non-authoritative data from outside your address space. This also
gives
you some of the risk advantages you'd get from running separate
instances.
John Wobus
Cornell University
More information about the bind-users
mailing list