[dns-operations] Best Practices in DNS security

Robert Story rstory at tislabs.com
Fri Mar 17 15:30:03 UTC 2006

On Thu, 16 Mar 2006 17:33:32 +0000 Paul wrote:
PV> also note that if you run authority and recursion in the same server image
PV> (answering on the same ip address), there are a few cases where the server
PV> cannot follow the RFC's when generating answers, and is basically guessing.
PV> my advice is, don't do this.  allocate a separate IP address for recursive
PV> nameservice (as handed out by DHCP or listed in resolv.conf) other than the
PV> one used for authority name service (as listed in A RR's who are named in
PV> NS RR's.)

Is a separate IP strictly necessary? What if the firewall redirected
DNS queries from one source to a separate copy of bind running on
a non-standard port? Best I can figure out, the authoritative
nameserver should get port 53, and the firewall (or local packet
filters on the machine) would redirect internal queries to the caching
resolver running on a non standard port.

Robert Story
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060317/5d556fd3/attachment.sig>

More information about the dns-operations mailing list