Cache poisoning

Barry Margolin barmar at alum.mit.edu
Fri Jul 14 12:32:24 UTC 2006


In article <e98272$2h9$1 at sf1.isc.org>,
 "Jeff Lightner" <jlightner at water.com> wrote:

> The BIND servers I'm talking about are a master and slave we use only
> for external queries to our internet facing systems and for forwards to
> the root servers from the inside (internally we have Windows DNS
> servers).
> 
> The question came up because our security admin ran a Nessus scan and it
> indicated we're running a version of BIND susceptible to cache
> poisoning.  I'm going to upgrade the OS and the BIND on the servers in
> question. I had asked to do this some months ago and the Nessus scan
> helped me get the point across.   However I was of the impression that
> cache poisoning was only an issue on a caching name server and we aren't
> running one.  The responses you and Barry sent seem to confirm that.  I
> just wanted to know the urgency of doing the upgrade as approvals flow
> like molasses around here.

What do you mean by "forwards to the root servers from the inside"?  You 
can't really use the root servers as forwarders, so I assume you mean it 
has root hints configured, and uses this to look up outside domains on 
behalf of queries coming from inside.  This *is* a caching name server.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***



More information about the bind-users mailing list