Force Clients to *always* use authoritative

[Stephen John Smoogen]

On 12/18/06, Karl R. Balsmeier <karl at klxsystems.net> wrote:
> Peter Dambier wrote:
>
> >Karl R. Balsmeier wrote:
> >
> >

> We were just advised:
>
> If so you could use max-cache-ttl and max-ncache-ttl with a very low ttl like 1 second.  Although then you still have a problem with the client itself caching the lookup.
>

The only time I have heard of this was from a consultant was giving
security advice on every possible threat. The lowering of caching
times is sometimes 'recommended' to stop possible attacks where
someone asks a nameserver for an answer and sees if an answer is
cached or not. If the answer is cached, you can guess that someone
else who is using the nameserver asked for that information, and you
can guess some other data on how long ago they asked for it. I think
there are some other 'attacks' and communication channels that can be
used via cached channels.

In the cases where you have information that you are guarding that
much, you will want to really think about how you are going to design
your network beyond just changing 'caching' times. Using
compartamalized DNS caching name servers that can only be talked to by
certain physical networks, placing sensors that will look for odd
query/answers, etc would be a better idea.

-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"