DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
Reindl Harald
h.reindl at thelounge.net
Thu Dec 30 13:55:50 UTC 2021
Am 30.12.21 um 09:07 schrieb Danilo Godec via bind-users:
> On 29. 12. 21 19:24, tale wrote:
>> On Wed, Dec 29, 2021 at 5:31 AM Danilo Godec via bind-users
>> <bind-users at lists.isc.org> wrote:
>>> I have an authoritative DNS server for a domain, but I was also going to
>>> use the same server as a recursive DNS for my internal network, limiting
>>> recursion by the IP. Apparently, this is a bad idea that can lead to
>>> cache poisoning...
>> In short, no, this configuration with a BIND 9 server does not
>> increase your risk of cache poisoning any more than running your local
>> server in pure recursive mode. I'm curious to hear more from the
>> source that has given you this impression. I suspect there were some
>> additional qualifications that don't align with what you've described.
>>
> The source is a security audit report, claiming that using a single
> server for both authoritative (for public use) and recursive (limited to
> internal clients by means of 'allow-recursion' directive) roles
> increases the risk of DoS attacks and DNS cache poisoning... They
> mentioned CVE-2021-20322 that supposedly makes cache poisoning feasible
> (again) - that made them increase the concern level to a 'medium'.
>
>
> While I understand how and why DoS and cache poisoning are bad, I don't
> understand how separating these two roles would help mitigate the risk
it don't
More information about the bind-users
mailing list