On 16/12/2015 11:09, Tom H wrote: > On Wed, Dec 16, 2015 at 4:01 AM, Adam Carter <adamcart...@gmail.com> wrote: >>> >>> There are several problems with your idea. First, the configured >>> >>> namservers in resolv.conf are caching servers, not authoritative >>> servers. You never configure an auth server to act as a cache. Yes, it >>> can be done. No, it's an awful idea and things break horribly. >> >> What breaks if you have caching and auth on the same server? I have been >> running my tiny home network this way for years. The local domain is >> properly delegated, but if you just wont a local domain that's not >> necessary. > > The ISC recommends separating authoritative and caching bind servers. > > The main reason that I can think of is that someone can poison the > cache of the domains for which a server's authoritative. >
If I were a serious Cyber Kriminal, here's the avenue I'd be looking for: Find some vendor of low or medium end equipment (some, small business kit) that "helpfully" provides a combined DNS cache and auth server on the border router and just as helpfully announces this to the internal network. We all know how bad security on that stuff really is (think factory default user admin pass admin, and never changed). Find an exploit for these things and load lame zone files for some major banks and other juicy target pointing at my malware. The owners of this kit will never notice I did this. The router's DNS cache will trust the authoritative zone it has loaded even though it's orphaned. Awesome thanks. I just 0wned the internet for that entire business. And 9 out of 10 of those businesses will never find it. Solution: obey best practice. Never run auth and cache on the same address. On the same machine is fine, they are different daemons. -- Alan McKinnon alan.mckin...@gmail.com
