On 29. 12. 21 19:24, tale wrote:
On Wed, Dec 29, 2021 at 5:31 AM Danilo Godec via bind-users
<bind-users@lists.isc.org> wrote:
I have an authoritative DNS server for a domain, but I was also going to
use the same server as a recursive DNS for my internal network, limiting
recursion by the IP. Apparently, this is a bad idea that can lead to
cache poisoning...
In short, no, this configuration with a BIND 9 server does not
increase your risk of cache poisoning any more than running your local
server in pure recursive mode. I'm curious to hear more from the
source that has given you this impression. I suspect there were some
additional qualifications that don't align with what you've described.
The source is a security audit report, claiming that using a single
server for both authoritative (for public use) and recursive (limited to
internal clients by means of 'allow-recursion' directive) roles
increases the risk of DoS attacks and DNS cache poisoning... They
mentioned CVE-2021-20322 that supposedly makes cache poisoning feasible
(again) - that made them increase the concern level to a 'medium'.
While I understand how and why DoS and cache poisoning are bad, I don't
understand how separating these two roles would help mitigate the risk.
Thanks for helping me understand,
Danilo
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
