> From: Daniel McDonald <dan.mcdon...@austinenergy.com> > That's not to say that there is currently any cache-poisoning vulnerability > that someone might exploit, or that any current malware makes use of this > two-phase approach to exploit desktops. But why take the risk when setting > up bind as a recursive server pointing at roots is so trivial?
It's not clear to me the risk of evil mail causing poisonous lookups is enough larger than other vectors for poisonous lookups to balance the costs and risks of additional DNS servers at a small site: - Partitioning your DNS cache among separate servers reduces its overall hit rate and so costs more RAM, CPU cycles, and bandwidth. (given the mention of zen.spamhaus.org, consider the records for .org) - Maintain another server costs additional system administration labor and system administration errors. - Having DNS broken only for mail by an hypothetical evil lookups is likely to be unnoticed for longer than when all DNS is broken, especially at small sites. - Every additional anything increases your attack surface, especially when it talks to the whole Internet. There are many situations where those costs are worthwhile, but they are less common at small sites. When two DNS servers are justified at a small site, I bet the best common tactic is to put all servers in all /etc/resolv.conf files or Windows equivalent, but with differing orders. For example, the mail system might prefer its own DNS server but fall back to another server. Vernon Schryver v...@rhyolite.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users