[dns-operations] Best Practices in DNS security

Peter Dambier peter at peter-dambier.de
Fri Mar 17 10:53:32 UTC 2006

gilles.massen at restena.lu wrote:
> Could you please give an example for this? 
> Basically I'm trying very hard to find how bad running authoritative and 
> recursive service on the same nameserver actually is. In our case 
> splitting them is on the todo list, but I'm unable to get a feeling for 
> the urgency....and what the real problems are (that won't be fixed in 
> another release of bind :) ).
> Gilles

Best source I can imgine:


I dont want to propose you install djbdns but then you would split
authority and resolver on different ip addresses fafourably on different
machines. I does make sense to use virtual machines. Seen from an
intruder they are still separate machines.

The resolver will always cache - even things it is authoritative for.

Now you have things in your cache that are not from you.

Your authoritative sees these things and publishes them as its own
authoritative data.

intruder.good-friend.my-domain can put intruder.my-domain into my
cache and my authoritative server does not know it is from the
cache not from its zone file.

I dont see how to fix this - but split server and resolver then that
problem does not even exist.

Peter and Karin Dambier

Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the dns-operations mailing list