DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
Danilo Godec
danilo.godec at agenda.si
Thu Dec 30 08:07:54 UTC 2021
On 29. 12. 21 19:24, tale wrote:
> On Wed, Dec 29, 2021 at 5:31 AM Danilo Godec via bind-users
> <bind-users at lists.isc.org> wrote:
>> I have an authoritative DNS server for a domain, but I was also going to
>> use the same server as a recursive DNS for my internal network, limiting
>> recursion by the IP. Apparently, this is a bad idea that can lead to
>> cache poisoning...
> In short, no, this configuration with a BIND 9 server does not
> increase your risk of cache poisoning any more than running your local
> server in pure recursive mode. I'm curious to hear more from the
> source that has given you this impression. I suspect there were some
> additional qualifications that don't align with what you've described.
>
The source is a security audit report, claiming that using a single
server for both authoritative (for public use) and recursive (limited to
internal clients by means of 'allow-recursion' directive) roles
increases the risk of DoS attacks and DNS cache poisoning... They
mentioned CVE-2021-20322 that supposedly makes cache poisoning feasible
(again) - that made them increase the concern level to a 'medium'.
While I understand how and why DoS and cache poisoning are bad, I don't
understand how separating these two roles would help mitigate the risk.
Thanks for helping me understand,
Danilo
More information about the bind-users
mailing list