On 11/3/20 4:36 PM, Steve Litt wrote:
On Sat, 31 Oct 2020 09:08:50 +0900
Simon Walter <si...@gikaku.com> wrote:
On 10/30/20 7:29 AM, Rick Moen wrote:
...
FWIW, I am no longer comfortable with the idea of a combined
authoritative/recursive server on a publicly exposed static IP.
That has been deprecated for long decades as bad security,
particularly because it increases the risk of cache poisoning of
the recursive server. IMO, a LAN connected to public networks,
even a small one, ought to have the authoritative service on a
separate, public-facing host, and the recursive service on a
protected, internal-network machine that is as shielded from public
networks as possible.
Thanks for the bits of wisdom.
Do you know any papers/articles/sites that discuss and explain this
more?
I have not updated my IT knowledge in years and am a bit thirsty.
When it comes to separation of authoritative and resolver parts of DNS,
the documentation from the old djbdns makes it very clear, and is an
excellent starting point.
I'll have to check that out. Thanks!
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
