DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
Grant Taylor
gtaylor at tnetconsulting.net
Tue Jan 4 03:52:52 UTC 2022
On 1/3/22 10:57 AM, John Thurston wrote:
> It must have a 'forward' zone defined on it for each of those stupid
> domains. And yes, you are right . . at that point it is no longer only
> performing recursion.
;-)
> But there is no other way to do it. Even in a combined
> recursive/authoritative design, your server would have no way to resolve
> names in those stupid domains; there must be an explicit 'forward' zone
> defined.
If I'm allowing recursion and authoritative on the same server, I'd have
the recursive + authoritative server do secondary zone transfers off of
the internal MS-DNS / AD server. That way the clients can get the info
off of the first server they talk to.
To me, the secondary copy of the zone is a form of authoritative
information on the otherwise recursive server.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220103/a673500f/attachment-0001.bin>
More information about the bind-users
mailing list