[dns-operations] Best Practices in DNS security
Peter Dambier
peter at peter-dambier.de
Fri Mar 17 10:53:32 UTC 2006
gilles.massen at restena.lu wrote:
> Could you please give an example for this?
>
> Basically I'm trying very hard to find how bad running authoritative and
> recursive service on the same nameserver actually is. In our case
> splitting them is on the todo list, but I'm unable to get a feeling for
> the urgency....and what the real problems are (that won't be fixed in
> another release of bind :) ).
>
> Gilles
>
Best source I can imgine:
http://cr.yp.to/djbdns.html
I dont want to propose you install djbdns but then you would split
authority and resolver on different ip addresses fafourably on different
machines. I does make sense to use virtual machines. Seen from an
intruder they are still separate machines.
The resolver will always cache - even things it is authoritative for.
Now you have things in your cache that are not from you.
Your authoritative sees these things and publishes them as its own
authoritative data.
intruder.good-friend.my-domain can put intruder.my-domain into my
cache and my authoritative server does not know it is from the
cache not from its zone file.
I dont see how to fix this - but split server and resolver then that
problem does not even exist.
Regards
Peter and Karin Dambier
--
Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
More information about the dns-operations
mailing list