On Mon, Jan 24, 2011 at 7:52 AM, Josh Smith <juice...@gmail.com> wrote: > I agree the tcp option in resolv.conf looks great and I'll be enabling > it on my obsd clients but, correct me if I am wrong, this will do > little to help protect the non obsd clients using my recursive > resolvers.
It doesn't do a whole lot to protect the openbsd clients either. If bad people are injecting packets into your local network from the outside, you are boned. Get a new firewall. If bad people are injecting packets from the inside, you are double boned. Get a new network. Beyond that, the more common attack point for DNS is between the local recursive/caching server and the rest of the internet. Just because you trust the connection from workstation to server doesn't mean the data the server collected from the tubes at large is safe. You are securing the wrong part of the connection. TCP may help talking to a far away DNS server over the internet, but honestly, that's an unusual scenario and better handled by a VPN.
