I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs? By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical.
Thanks, Sa On Dec 15, 2011, at 3:07 AM, sasa sasa wrote: > For an ISP, is there any risk in configuring BIND DNS as cache only and > adding customer's reverse mapping zones? If this copy of the reverse zone is for the world's use (i.e. in the delegation tree), then your DNS server would be answering queries from the world, and a caching server answering queries from the world is vulnerable to known cache vulnerabilities in the DNS protocol. On the other hand, if this copy of the reverse zone is only to answer your customer's queries, and the DNS server is configured not to answer queries from the world, then you've avoided the DNS protocol vulnerabilities and there's no special risk attached to serving this zone. Aside from the issue of preventing known cache vulnerabilities in the DNS protocol, folks often separate caching from authoritative (specifically, in the delegation tree) as an insurance policy against bugs and vulnerabilities that haven't been found yet. It's hard to quantify risks associated with bugs and vulnerabilities that no one has found yet and may not even exist. > Any other possible implementations? We'd have to know what you're trying to accomplish. John Wobus Cornell U _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
