CNAMEs pointing to outside domains
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jun 19 01:56:24 UTC 2002
Vincent Aniello wrote:
> "Simon Waters" <Simon at wretched.demon.co.uk> wrote in message
> news:aenrqm$663r$1 at isrv4.isc.org...
> >
> > Vincent Aniello wrote:
> > >
> > > If this is the case then I am
> > > going to get complaints from users that try nslookups on the CNAME
> records
> > > pointing to outside domains.
> >
> > You shouldn't as your users are presumably on networks to which
> > you allow recursion?
>
> By users I was also referring to customers performing nslookups from the
> Internet. The customers networks are not in the list of trusted networks on
> my DNS servers.
Disabling recursion is becoming more and more a standard practice, as awareness
increases of Denial-of-Service and cache poisoning attacks. Also, a lot of
organizations don't like folks freeloading off their nameservers. Given this,
none of your customers should be surprised if your nameserver declines to
recurse to fetch the target of a CNAME, when the query comes from outside of
your own network.
- Kevin
More information about the bind-users
mailing list