separation of authoritative and recursive functions on internal networks
Gary Carr
garycarr100 at gmail.com
Wed Aug 5 14:18:32 UTC 2015
Hello,
I understand the importance of separating authoritative and recursive
functions on public facing systems. How crucial is it on internal
systems?
My clients today resolve against internal servers that do recursion
and also hold authoritative secondary copies of important internal
zones. I did see on the ISC KB that this is an acceptable
configuration 'having determined that the benefit outweighs any risks
associated with this policy."
The primary benefit as I understand it, is that in removing the
authoritative function from the recursive systems and isolating it on
separate hardware (with an ACL permitting only the recursive servers
to use them), I decrease the attack surface. The recursive servers are
now isolated from being vulunerable to attacks against the
authoritative code base.
In my environment, the recursive function is important, but not nearly
as important as the authoritative resolution of internal namespaces.
Has this separation of function improved my security posture in that
area? If we assume the internal environment is hostile, an attacker
now simply has to launch their authoritative-busting code against the
authoritative servers rather than the recursive servers, forging the
source as the recursive servers? The end result is the same in either
design - an outage for critical internal functionality.
What are the downsides? Is it a stretch to say that this design might
actually introduce security concerns? For example, if the
authoritative function is moved, and the clients are left pointing at
na now recursive-only server- that recursive server is now
theoretically vulnerable to cache poisoned records for those critical
internal namespaces, where as previously that was impossible because
it was answering them authoritatively?
Does this design potentially weaken operational stability? By breaking
out the authoritative functions on to unique hardware, we've now
introduced a second place in the service delivery chain where a
failure will be catastrophic to business function?
Overall, is breaking this function out - internally - really worth it?
Thoughts and comments appreciated
Cheers!
More information about the bind-users
mailing list