Help Understanding Cache Poisoining
peter at peter-dambier.de
Sat Nov 25 18:55:26 UTC 2006
> Can someone explain to me if an ISP has misconfigured their public DNS to
> allow outsiders to do recursive queries on the server, how does that make
> possible cache poisoining of zones for which the ISP is primary?
You do not need an outsider to poison your ISPs cache. An insider can do
There are two kinds of machines, resolvers and authoritative nameservers.
you cannot poison an authoritative nameserver.
The machine you are querying normally is a resolver, and the resolver you
My advice, if you want to be save then never use your ISPs resolver or
somebody elses. Build your own resolver. Let this resolver only answer
to queries from inside, never from outside.
Let your resolver only use rootservers no forwarders.
Now it is only you who can poison your resolver.
Peter and Karin
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
More information about the bind-users