So I have a caching only DNS server that is behind a firewall and has no incoming connections allowed unless specifically requested from inside. My DNS server does contact the root DNS servers upstream. But again incoming conections are only allowed into my DNS server unless the originated from the inside. As far as I understand the problem for the recent DNS issues is from someone on the outside of my firewall ( I am ignoring an attack from the inside) would have to send my DNS server (which they cannot) some DNS requests in order to get a reply for them to attack? Am I right? so since I do not have external access to port 53 I am relatively safe?
Since my DNS is not randomizing ports but is radomizign transaction id's? Just curious.
