On 04/01/2022 21:12, Grant Taylor via bind-users wrote:
Yep. This is where I have settled. But I don't feel I can defend
it when asked. Hence my seeking to better understand.
There are categories of bugs that specifically affect recursion, and in
BIND these are _much_ more common than th
On 1/4/22 4:37 AM, Ray Bellis wrote:
Better yet, use BIND's mirror zones feature so that the zone is also
DNSSEC validated.
Completely agreed. I think the type of authoritative information is
somewhat independent of the fact that any authoritative information exists.
IMHO, the strictures ag
On 04/01/2022 03:52, Grant Taylor via bind-users wrote:
If I'm allowing recursion and authoritative on the same server, I'd have
the recursive + authoritative server do secondary zone transfers off of
the internal MS-DNS / AD server. That way the clients can get the info
off of the first se
On 1/3/22 10:57 AM, John Thurston wrote:
It must have a 'forward' zone defined on it for each of those stupid
domains. And yes, you are right . . at that point it is no longer only
performing recursion.
;-)
But there is no other way to do it. Even in a combined
recursive/authoritative design
On 1/3/22 12:15 AM, Borja Marcos wrote:
If you separate the roles it is much simpler to implement an
effective access control.
On 03.01.22 10:35, Grant Taylor via bind-users wrote:
The problem I have with separating recursive and authoritative servers
has to do with internal LANs and things li
On 1/3/2022 8:35 AM, Grant Taylor via bind-users wrote:
In short, how do you get a /purely/ /recursive/ server to know that
internal-corp-lan.example (or any domain not in the global DNS
hierarchy) is served by some other /purely/ /authoritative/ DNS server
inside the company?
It must have a
On 1/3/22 12:15 AM, Borja Marcos wrote:
If you separate the roles it is much simpler to implement an effective
access control.
The problem I have with separating recursive and authoritative servers
has to do with internal LANs and things like Microsoft Active Directory
on non-globally-recogni
rective) roles increases the risk of
> DoS attacks and DNS cache poisoning... They mentioned CVE-2021-20322 that
> supposedly makes cache poisoning feasible (again) - that made them increase
> the concern level to a 'medium'.
>
>
> While I understand how and why Do
t; > > > I have an authoritative DNS server for a domain, but I was also going to
> > > > use the same server as a recursive DNS for my internal network, limiting
> > > > recursion by the IP. Apparently, this is a bad idea that can lead to
> > > > cache
> > use the same server as a recursive DNS for my internal network, limiting
> > > recursion by the IP. Apparently, this is a bad idea that can lead to
> > > cache poisoning...
> > In short, no, this configuration with a BIND 9 server does not
> > increas
network, limiting
recursion by the IP. Apparently, this is a bad idea that can lead to
cache poisoning...
In short, no, this configuration with a BIND 9 server does not
increase your risk of cache poisoning any more than running your local
server in pure recursive mode. I'm curious to hear more
idea that can lead to
cache poisoning...
In short, no, this configuration with a BIND 9 server does not
increase your risk of cache poisoning any more than running your local
server in pure recursive mode. I'm curious to hear more from the
source that has given you this impression. I suspect
o
> cache poisoning...
In short, no, this configuration with a BIND 9 server does not
increase your risk of cache poisoning any more than running your local
server in pure recursive mode. I'm curious to hear more from the
source that has given you this impression. I suspect there wer
Danilo Godec via bind-users wrote:
>
> I have an authoritative DNS server for a domain, but I was also going to
> use the same server as a recursive DNS for my internal network, limiting
> recursion by the IP. Apparently, this is a bad idea that can lead to
> cache poisoning...
Hello,
I have an authoritative DNS server for a domain, but I was also going to
use the same server as a recursive DNS for my internal network, limiting
recursion by the IP. Apparently, this is a bad idea that can lead to
cache poisoning...
After watching a Computerphile Youtube video
If we talk about checking after suspected poisoning, my best idea is:
dump the cache, then flush the cache and do the lookups again and
compare to the cache-dump. Any difference is suspicious and should be
looked closer upon.
The cure is BTW also to flush the cache of the fake info.
Remember tha
On 25.10.10 16:39, The Doctor wrote:
> My question is how can you detect if a DSN / Domain name
> has been 'poisoned'?
quitye hard if it's already been done. You can see what it contains and
compare it with what is should contain, but you never know if the incorrect
data didn't come from misconfig
Zitat von The Doctor :
My question is how can you detect if a DSN / Domain name
has been 'poisoned'?
Compare what your cache deliver with results from other sites. To
prevent cache poison you might use DNSSEC if the zones which are
affected support it and at least use a recent Resolver wit
On 2010-10-26 00:39, The Doctor wrote:
> My question is how can you detect if a DSN / Domain name
> has been 'poisoned'?
By using DNSSEC
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
My question is how can you detect if a DSN / Domain name
has been 'poisoned'?
--
Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist
rising!
http://twitter.com/rootnl2k http://www.facebook.com/
On Mon, 9 Aug 2010, Shiva Raman wrote:
>
> I tried implementing dnssec using the following document
> http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/
That is rather out of date: it does not cover some important BIND-9.7
DNSSEC validation features, specifically RFC 5011 autom
Allow bind to use as wide a range of port numbers as possible for UDP
traffic.
>>
>> On 09.08.10 17:14, Shiva Raman wrote:
>>> Yes this is allowed in the firewall.
>>
>> note that bind also should not have "port" potion in query-source statement.
On 09.08.10 14:08, Wolfgang Solfrank wrot
Am Mon, 09 Aug 2010 14:08:26 +0200
schrieb Wolfgang Solfrank :
> >>> Allow bind to use as wide a range of port numbers as possible for
> >>> UDP traffic.
> >
> > On 09.08.10 17:14, Shiva Raman wrote:
> >> Yes this is allowed in the firewall.
> >
> > note that bind also should not have "port" potio
Allow bind to use as wide a range of port numbers as possible for UDP
traffic.
On 09.08.10 17:14, Shiva Raman wrote:
Yes this is allowed in the firewall.
note that bind also should not have "port" potion in query-source statement.
In addition, be carefull with the use of NAT on your firewal
> >Allow bind to use as wide a range of port numbers as possible for UDP
> >traffic.
On 09.08.10 17:14, Shiva Raman wrote:
> Yes this is allowed in the firewall.
note that bind also should not have "port" potion in query-source statement.
> > Make sure your firewalls don't do daft things like fo
Hi
Thanks for your valuable suggestions
>Run an up-to-date version of bind. Be fanatical about applying security
>patches promptly.
Yes , i am running the latest version Bind-9.7.1-P2.
>Don't allow recursion /at all/ for queries from the general public to
>your authoritative servers, nor permit
On 08/08/2010 11:29:52, Shiva Raman wrote:
>I am running Bind caching and bind authoritative servers with current
> 9.7 version. I would like
> to know the steps to be followed to protect bind from DNS Cache poisoning.
> The bind DNS server
> is running behind the firewa
Dear All
I am running Bind caching and bind authoritative servers with current
9.7 version. I would like
to know the steps to be followed to protect bind from DNS Cache poisoning.
The bind DNS server
is running behind the firewall which allows only DNS queries .
kindly share your views
On 11.08.09 13:27, Nelson Serafica wrote:
> I need to set bind to listen to all address. I'm using AMAZON EC2
no, you don't. you configure listening IPs/ports by using listen-on and
listen-on-v6.
query-source only configures from which IP/port will your requests come
from.
--
Matus UHLAR - fant
I need to set bind to listen to all address. I'm using AMAZON EC2
Maybe a strange question. Why did you have a query source statement in
your configuration in the first place?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.o
On Aug 10, 2009, at 10:06 PM, Nelson Serafica wrote:
Thanks Mark! it works. I change my query source to one of the entry
below and it works.
Maybe a strange question. Why did you have a query source statement
in your configuration in the first place?
Bill Larson
Mark Andrews wrote:
Thanks Mark! it works. I change my query source to one of the entry below and
it works.
Mark Andrews wrote:
query-source * port 53; // bad
query-source 10.53.0.1; // ok
query-source *; // ok (default)
query-source-v6 * port 53; // bad
que
In message <4a80e783.4090...@gmail.com>, Nelson Serafica writes:
> Last year, there was a global threat about cache poisoning so I updated immed
> iately my bind. I update it to BIND
> 9.5.0-P1 and did nothing to its named.conf
You should have at least checked the query
Last year, there was a global threat about cache poisoning so I updated immediately my bind. I update it to BIND
9.5.0-P1 and did nothing to its named.conf
Now, I'm setting up a secondary dns (in my previous emails) and I used BIND 9.6.1-P1. But when I do dig +short @
porttest.dns-oarc.ne
On 05.01.09 15:29, Chris Henderson wrote:
> I'm trying to implement some basic counter-measures against the
> Kaminsky bug. I have had to configure my switch to allow any incoming
> query to TCP and UDP port 53 on my slave DNS server. I was wondering
> if this is going to cause any problem as far a
Chris Henderson wrote:
> I'm trying to implement some basic counter-measures against the
> Kaminsky bug. I have had to configure my switch to allow any incoming
> query to TCP and UDP port 53 on my slave DNS server. I was wondering
> if this is going to cause any problem as far as security is conce
Chris Henderson wrote:
> I'm trying to implement some basic counter-measures against the
> Kaminsky bug. I have had to configure my switch to allow any incoming
> query to TCP and UDP port 53 on my slave DNS server. I was wondering
> if this is going to cause any problem as far as security is conce
I'm trying to implement some basic counter-measures against the
Kaminsky bug. I have had to configure my switch to allow any incoming
query to TCP and UDP port 53 on my slave DNS server. I was wondering
if this is going to cause any problem as far as security is concerned.
Bind version 9.4.1 runni
38 matches
Mail list logo
