[bind] Cache Verification

Tuc at T-B-O-H.NET ml at t-b-o-h.net
Mon Jul 28 15:30:20 UTC 2008


> 
> primary dns zones on DNS servers at a few of our customers ISP's.   So 
> basically take a list of a ~6 open, recursive, DNS servers.    Do a lookup 
> against them and verify the answer against the known good answer.  And do 
> this once every (TTL).    With the current security issues I'm sure 
> someone has already written better code that I'm going to come up with in 
> the next hour.   Anybody want to share?
> 
	That'll only prevent problems with people that use those servers
for recursive DNS. What about the thousands (I'm guessing) of other
ones that you aren't checking? The bigger issue isn't that YOUR recursives can
be comprimised for your domains, its that EVERY ONE ELSES can be comprimised
for your domains.

	As for monitoring, have you looked into OpenSource NMS type systems?

			Tuc


More information about the bind-users mailing list