Re: Cache only and reverse mapping
On 19.12.11 11:40, sasa sasa wrote: I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical. Wait, it's not practical for an ISP to serve different logical functions on different IP addresses? What kind of ISP is this? My fault, apparently I was not thinking straight, I was thinking that we should give customers 2 DNSs IPs for 2 separate functions!! Now I feel totally stupid, thanks Kevin. well, you _should_ give customers 2 IPs for recursive dNS service, and 2 hostnames (with different IPs) for DNS zones' NS records. They _should_ run on different servers, or at least views. Some customers do reregister their domains to different DNS providers, and later complain that you provide old zones to your other customers (because they did not tell you that you should stop providing them). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
On 12/16/2011 11:22 AM, sasa sasa wrote: I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical. Wait, it's not practical for an ISP to serve different logical functions on different IP addresses? What kind of ISP is this? - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical. Wait, it's not practical for an ISP to serve different logical functions on different IP addresses? What kind of ISP is this? :) My fault, apparently I was not thinking straight, I was thinking that we should give customers 2 DNSs IPs for 2 separate functions!! Now I feel totally stupid, thanks Kevin. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
On Dec 15, 2011, at 3:07 AM, sasa sasa wrote: For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones? If this copy of the reverse zone is for the world's use (i.e. in the delegation tree), then your DNS server would be answering queries from the world, and a caching server answering queries from the world is vulnerable to known cache vulnerabilities in the DNS protocol. On the other hand, if this copy of the reverse zone is only to answer your customer's queries, and the DNS server is configured not to answer queries from the world, then you've avoided the DNS protocol vulnerabilities and there's no special risk attached to serving this zone. Aside from the issue of preventing known cache vulnerabilities in the DNS protocol, folks often separate caching from authoritative (specifically, in the delegation tree) as an insurance policy against bugs and vulnerabilities that haven't been found yet. It's hard to quantify risks associated with bugs and vulnerabilities that no one has found yet and may not even exist. Any other possible implementations? We'd have to know what you're trying to accomplish. John Wobus Cornell U ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical. Thanks, Sa On Dec 15, 2011, at 3:07 AM, sasa sasa wrote: For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones? If this copy of the reverse zone is for the world's use (i.e. in the delegation tree), then your DNS server would be answering queries from the world, and a caching server answering queries from the world is vulnerable to known cache vulnerabilities in the DNS protocol. On the other hand, if this copy of the reverse zone is only to answer your customer's queries, and the DNS server is configured not to answer queries from the world, then you've avoided the DNS protocol vulnerabilities and there's no special risk attached to serving this zone. Aside from the issue of preventing known cache vulnerabilities in the DNS protocol, folks often separate caching from authoritative (specifically, in the delegation tree) as an insurance policy against bugs and vulnerabilities that haven't been found yet. It's hard to quantify risks associated with bugs and vulnerabilities that no one has found yet and may not even exist. Any other possible implementations? We'd have to know what you're trying to accomplish. John Wobus Cornell U ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
On Dec 16, 2011, at 11:22 AM, sasa sasa wrote: I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical. Then I suspect you know all this, but... The practicality certainly depends upon your site's situation. Many sites have enough IPs to allocate a few more to DNS, and enough server capacity to run more bind instances, but I imagine some don't. Two such bind instances could be on different hardware or the same, but two IPs would be necessary. Bind typically runs on OSes that, without tricks such as natting, generally support just one program listening to a specific port/ip. Bind's view feature allows a single bind instance on a single IP to act like a bit like two instances, offering some of the advantages of isolating their respective functions. Aside from this, a bind instance can be configured not answer queries to non-authoritative data from outside your address space. This also gives you some of the risk advantages you'd get from running separate instances. John Wobus Cornell University ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
sasa sasa wrote: I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical. Thanks, Sa Why not? Your customers don't need to know about the authoritatives directly; the only addresses they'll require are the caching servers'. I'd bet on small efficiencies to be gained only by mixing the two, but not worth the potential troubles, IMHO. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Cache only and reverse mapping
For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones? Any other possible implementations? regards, Sa ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cache only and reverse mapping
On Thursday 15 December 2011 02:07:12 sasa sasa wrote: For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones? Any other possible implementations? To be precise, when you are serving any zones authoritatively, your server is no longer cache only. There is no difference between in-addr.arpa zones and other zones, as far as named/DNS is concerned. If you have been delegated reverse DNS for your [customer's] netblocks, you do indeed need to serve those in-addr.arpa zones. I am not sure what you are asking regarding risk and other implementations. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users