forwarding to a child zone is different!!

Kevin Darcy kcd at daimlerchrysler.com
Mon Apr 30 21:34:10 UTC 2001 

Brad Knowles wrote:

> At 8:37 PM -0400 4/25/01, Kevin Darcy wrote:
>
> >  Why don't we just agree that separating recursive from non-recursive
> >  functions is generally recommended on/between network boundaries, i.e. where
> >  there are differing levels of trust wrt the respective networks, a higher
> >  danger of cache pollution, denial-of-service attacks, etc., but outside of
> >  that context, hybrid recursive/non-recursive configurations are often
> >  appropriate.
>
>         I can agree that in certain very limited circumstances (such as
> when you have internal nameservers that are behind one or more
> firewalls and have no possible way of accessing the outside world and
> vice-versa) that it *MAY* be an acceptable risk to mix authoritative
> services with recursive/caching services on the same machine.
>
>         However, outside of that context, I believe that to do something
> of this sort is far too dangerous, and indeed is as bad as, or worse
> than, using forwarding or wildcard RRs.

Cache poisoning isn't really the issue; the main problems with having recursion
open are a) you can get used as a DoS amplifier, b) other organizations
("freeloaders") may start using your nameserver to resolve all Internet names.
Both situations can be dealt with by either restricting external queries to only
authoritative zones, or (less effectively) simply restricting recursion to
internal clients. For administrative convenience, I personally prefer to make a
complete separation, having one nameserver instance which is completely
non-recursive. But I'm just recognizing that there _are_ other options, which
might be more attractive to folks who don't have the budget for extra nameservers
and perhaps not the necessary skillset to manage multiple nameserver instances on
a single box.

>         In other words, it is to be avoided at all possible costs, unless
> you really, really know what you're doing, and is not something to be
> advocating publicly.

As you may have noticed, I take more of a "right tool for the right job" approach
than a "rules to live by" approach. The trouble with rules is that if folks don't
understand the reasoning behind the rules, they are likely to misapply them. Plus,
if someone administers DNS based on nothing but a bunch of rules, they are less
likely to *learn* the fundamental theory of DNS, which means they get flummoxed if
something goes wrong, if the technology changes, or if a new requirement crops up
which isn't covered by a rule. Not only that, but sometimes rules get garbled when
they are passed from one clueless admin to another. So, we occasionally get folks
showing up here with nonsense rules like "don't use aliases ever" or "every
forward record has to have a reverse record".


- Kevin

More information about the bind-users mailing list