DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
John Thurston
john.thurston at alaska.gov
Mon Jan 3 17:57:12 UTC 2022
On 1/3/2022 8:35 AM, Grant Taylor via bind-users wrote:
> In short, how do you get a /purely/ /recursive/ server to know that
> internal-corp-lan.example (or any domain not in the global DNS
> hierarchy) is served by some other /purely/ /authoritative/ DNS server
> inside the company?
It must have a 'forward' zone defined on it for each of those stupid
domains. And yes, you are right . . at that point it is no longer only
performing recursion.
But there is no other way to do it. Even in a combined
recursive/authoritative design, your server would have no way to resolve
names in those stupid domains; there must be an explicit 'forward' zone
defined.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
More information about the bind-users
mailing list