On 21/02/13 08:28, curriegrad2004 wrote:
> On Wed, Feb 20, 2013 at 10:16 PM, Todd And Margo Chester
> <[email protected]> wrote:
>> Hi All,
>>
>> I can not get frontier's DNS servers to resolve
>> releases.mozilla.org. So, in my /etc/named.conf
>> I commented out frontier's DNS servers and substituted
>> Google's (8.8.8.8) and Open DNS' (208.67.222.222).
>>
>> # forwarders { 216.67.192.3; 74.40.37.242; };
>> # forwarders { 74.40.74.40; 74.40.74.41; };
>> forwarders { 8.8.8.8; 208.67.222.222; };
>>
>> Am I making a security mistake here?
>>
>> Many thanks,
>> -T
>
> From a security perspective, I would seriously not even bother
> querying anybody's DNS servers but rather have BIND to become a full
> recursive DNS server using only the root hints provided by IANA.
>
> Unless frontier is hijacking DNS (port 53) traffic, I'd strongly
> recommend using the method mentioned above.
+1 ... Set up your local bind installation as a caching server. Which
should be the default on a EL6 installation ... you just need to ensure
that you have this section in your /etc/named.conf ... and then you can
ditch the forwarders completely:
zone "." IN {
type hint;
file "named.ca";
};
And please avoid the typical mistake of disabling DNSSEC (which 98% of
all Internet blogs suggest). DNSSEC usually works out-of-the-box on a
EL6 installation.
--
kind regards,
David Sommerseth
