Cache poisoning

[Jeff Lightner]

Right it has hints for root servers.   OK so they are caching name
servers in addition to being master/slaves if I read this correctly?

In that case will the recursion setup mentioned prevent the poisoning?
Nessus suggested I need to upgrade to later BIND 9 or earlier BIND 8.
Was there a version of BIND 9 that couldn't be fixed via such a
recursion setup?

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Barry Margolin
Sent: Friday, July 14, 2006 8:32 AM
To: comp-protocols-dns-bind at isc.org
Subject: Re: Cache poisoning

In article <e98272$2h9$1 at sf1.isc.org>,
 "Jeff Lightner" <jlightner at water.com> wrote:

> The BIND servers I'm talking about are a master and slave we use only
> for external queries to our internet facing systems and for forwards
to
> the root servers from the inside (internally we have Windows DNS
> servers).
> 
> The question came up because our security admin ran a Nessus scan and
it
> indicated we're running a version of BIND susceptible to cache
> poisoning.  I'm going to upgrade the OS and the BIND on the servers in
> question. I had asked to do this some months ago and the Nessus scan
> helped me get the point across.   However I was of the impression that
> cache poisoning was only an issue on a caching name server and we
aren't
> running one.  The responses you and Barry sent seem to confirm that.
I
> just wanted to know the urgency of doing the upgrade as approvals flow
> like molasses around here.

What do you mean by "forwards to the root servers from the inside"?  You

can't really use the root servers as forwarders, so I assume you mean it

has root hints configured, and uses this to look up outside domains on 
behalf of queries coming from inside.  This *is* a caching name server.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***