On 2/26/13 10:43 AM, "Sten Carlsen" <st...@s-carlsen.dk> wrote:
> > > On 26/02/13 15:50, Robert Moskowitz wrote: > > >> >> I would expect that a namecaching server on the mailserver would reduce >> traffic and resources all the way around. >> >> I don't need my mailserver to constantly be asking my name server about, >> say, zen.spamhaus.org. >> > This is one reason my mailserver has a DNS server. No forward, that only > slows down things. > The question here is whether there is a good reason that this instance must > not go directly to the roots? In my opinion mail servers that receive outside mail should point to root servers and nothing internally. Particularly if you have spam filtering that relies on any sort of dns lookup. A message will cause a spam filter to produce a predictable set of queries, so someone who can come up with a bind vulnerability can force your mail server to make potentially vulnerable requests. If the vulnerability involves cache poisoning, then the malware authors would be able to pollute your internal DNS by convincing your spam filter to query crafted entries. That's not to say that there is currently any cache-poisoning vulnerability that someone might exploit, or that any current malware makes use of this two-phase approach to exploit desktops. But why take the risk when setting up bind as a recursive server pointing at roots is so trivial? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users