Help Understanding Cache Poisoining

Peter Dambier peter at
Sat Nov 25 18:55:26 UTC 2006

Will wrote:
> Can someone explain to me if an ISP has misconfigured their public DNS to
> allow outsiders to do recursive queries on the server, how does that make
> possible cache poisoining of zones for which the ISP is primary?

You do not need an outsider to poison your ISPs cache. An insider can do
as well.

There are two kinds of machines, resolvers and authoritative nameservers.
you cannot poison an authoritative nameserver.

The machine you are querying normally is a resolver, and the resolver you
can poison.

My advice, if you want to be save then never use your ISPs resolver or
somebody elses. Build your own resolver. Let this resolver only answer
to queries from inside, never from outside.

Let your resolver only use rootservers no forwarders.

Now it is only you who can poison your resolver.

Kind regards
Peter and Karin

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher-Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP:
mail: peter at
mail: peter at

More information about the bind-users mailing list