DNS Cache Snooping?

Jeff Lightner jlightner at water.com
Mon Jun 23 23:26:27 UTC 2008

I'm looking at a scan done to help us achieve PCI Compliance.
On my external facing DNS servers it talks about "DNS Cache Snooping".

They point to a document written in 2004 so I'm guessing it is a little
out of date. 

On doing searches on the subject I'm finding pretty much the same
document on or quoted on various sites.

None of them really seem to say anything about how current BIND
implementation (e.g. 9.3.4 P1) could be modified.

I have prevented recursive lookups from outside.  However on doing test
I have confirmed that recent recursive lookups from inside do in fact
cause the servers to cache the records and subsequent digs from outside
while confirming recursive lookup was denied do get the same record from
cache as was returned on the original lookup from inside.   

Note that we are using what is being recommended as "Split DNS" already.
i.e. The servers I'm speaking of only advertise those external facing
domains we want to be visible.  The internal lookups are all done by
Windows DNS servers and those only refer external lookups (root hints)
to the external DNS servers.

Is this really a concern I should address?   

If so do I just need to turn off caching on my BIND servers completely?
If so what is the best way to do that?

Would it be better to try to configure the Windows DNS servers to do
their own external lookups without going through my BIND servers?  If so
any clue on how to do that?

FYI:  I did search the archives which don't seem to mention this at all.
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.

More information about the bind-users mailing list