Cache poisoning
Barry Margolin
barmar at alum.mit.edu
Fri Jul 14 12:32:24 UTC 2006
In article <e98272$2h9$1 at sf1.isc.org>,
"Jeff Lightner" <jlightner at water.com> wrote:
> The BIND servers I'm talking about are a master and slave we use only
> for external queries to our internet facing systems and for forwards to
> the root servers from the inside (internally we have Windows DNS
> servers).
>
> The question came up because our security admin ran a Nessus scan and it
> indicated we're running a version of BIND susceptible to cache
> poisoning. I'm going to upgrade the OS and the BIND on the servers in
> question. I had asked to do this some months ago and the Nessus scan
> helped me get the point across. However I was of the impression that
> cache poisoning was only an issue on a caching name server and we aren't
> running one. The responses you and Barry sent seem to confirm that. I
> just wanted to know the urgency of doing the upgrade as approvals flow
> like molasses around here.
What do you mean by "forwards to the root servers from the inside"? You
can't really use the root servers as forwarders, so I assume you mean it
has root hints configured, and uses this to look up outside domains on
behalf of queries coming from inside. This *is* a caching name server.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list