DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
Ray Bellis
ray at isc.org
Tue Jan 4 11:37:31 UTC 2022
On 04/01/2022 03:52, Grant Taylor via bind-users wrote:
> If I'm allowing recursion and authoritative on the same server, I'd have
> the recursive + authoritative server do secondary zone transfers off of
> the internal MS-DNS / AD server. That way the clients can get the info
> off of the first server they talk to.
>
> To me, the secondary copy of the zone is a form of authoritative
> information on the otherwise recursive server.
Better yet, use BIND's mirror zones feature so that the zone is also
DNSSEC validated.
IMHO, the strictures against running authoritative and recursive on the
same server seem to get mis-applied a lot of the time. I think it's
perfectly fine for an *internal* recursive server to also hold
authoritative copies of your own zones.
Ray
More information about the bind-users
mailing list