Re: DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
On 04/01/2022 21:12, Grant Taylor via bind-users wrote: Yep. This is where I have settled. But I don't feel I can defend it when asked. Hence my seeking to better understand. There are categories of bugs that specifically affect recursion, and in BIND these are _much_ more common than those that affect authoritative service. Adding auth service barely touches the attack surface. And with BIND's separation between authoritative and recursively cached trees there is (AFAIK) no risk of cache pollution affecting the authoritative data. Furthermore, having the auth data for your own zones present there actually ensures that your own zones' data: 1. will always be served in preference to cached data 2. will be fresher (i.e. not subject to TTLs) assuming that NOTIFYs and/or a short SOA refresh is in place 3. will be present if access to the authoritatives is lost for some period of time (/me waves at Facebook!) I really can't see any downside. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
On 1/4/22 4:37 AM, Ray Bellis wrote: Better yet, use BIND's mirror zones feature so that the zone is also DNSSEC validated. Completely agreed. I think the type of authoritative information is somewhat independent of the fact that any authoritative information exists. IMHO, the strictures against running authoritative and recursive on the same server seem to get mis-applied a lot of the time. I think it's perfectly fine for an *internal* recursive server to also hold authoritative copies of your own zones. Yep. This is where I have settled. But I don't feel I can defend it when asked. Hence my seeking to better understand. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to show run the active configuration on bind
On 04/01/2022 16:53, Mik J via bind-users wrote: Hello, How can I check which variables are loaded in memory and considered as active. For example, I would like to check that the value of lame-ttl is 0 In my named.conf configuration file I have include "myconf.conf"; lame-ttl 600; And in the myconf.conf file I have lame-ttl 0; So how can I make sure which value is used ? You can't do that - BIND prohibits redeclaration of individual options, It also prohibits the presence of more than one "options { }" block. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to show run the active configuration on bind
Hello, How can I check which variables are loaded in memory and considered as active. For example, I would like to check that the value of lame-ttl is 0In my named.conf configuration file I haveinclude "myconf.conf"; lame-ttl 600; And in the myconf.conf file I havelame-ttl 0; So how can I make sure which value is used ? Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS cache poisoning - am I safe if I limit recursion to trusted local networks?
On 04/01/2022 03:52, Grant Taylor via bind-users wrote: If I'm allowing recursion and authoritative on the same server, I'd have the recursive + authoritative server do secondary zone transfers off of the internal MS-DNS / AD server. That way the clients can get the info off of the first server they talk to. To me, the secondary copy of the zone is a form of authoritative information on the otherwise recursive server. Better yet, use BIND's mirror zones feature so that the zone is also DNSSEC validated. IMHO, the strictures against running authoritative and recursive on the same server seem to get mis-applied a lot of the time. I think it's perfectly fine for an *internal* recursive server to also hold authoritative copies of your own zones. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users