cache server allow-recursion no problem?
Kevin Darcy
kcd at daimlerchrysler.com
Tue Mar 12 20:50:59 UTC 2002
David Xiao wrote:
> someone told me to turn off recursion query on my primary and
> secondary nameserver.They said that may cause DNS Spoofing Attack.
>
> but they told me to allow-recursion on my cache server.So my dial-up
> clients can query other domains.
> Doesn't cache server cause DNS Spoofing Attack?
> What is DNS Spoofing Attack?
Simply put, a DNS spoofing attack is where some malicious nameserver
tricks yours into accepting bogus data as genuine. If your nameserver is
fooled into thinking that www.amazon.com points to some hacker's
webserver, for instance, then maybe the hacker could harvest passwords,
etc. By turning off recursion on your authoritative -- master and slave
-- nameservers, you prevent them from querying other nameservers and
thus eliminate the possibility of DNS spoofing. Your caching servers, on
the other hand, *must* allow recursion, otherwise they would be unable
to resolve Internet names for your clients. But they are generally safe
from DNS spoofing attacks because they are not accessible from outside
your network (right?) and therefore the hackers are unable to make the
necessary queries to them that would cause them to be spoofed (unless of
course the hackers are customers of yours, in which case presumably you
have a way to trace their identities).
- Kevin
More information about the bind-users
mailing list