DNS Cache Snooping?
jlightner at water.com
Tue Jun 24 15:09:59 UTC 2008
It seems allow-query would undo what I've already done.
I'm getting the feeling my original post somehow has been dissociated
from the thread so I'll try to restate it:
The server is an advertising server for the domains we are authoritative
for and want people to be able to lookup from the internet.
It is also the server that does the lookups for things outside our
network for people inside the network.
Therefore my first mission was to allow recursion for the inside people
and prevent it for the external people while still allowing the external
to lookup the domains for which we are authoritative.
By creating the "internaldns" ACL and then adding the "allow-recursion"
option using that ACL I was able to make this work successfully. If you
hit our DNS server to do a lookup of a domain it will deny recursion
unless you come from one of our internal DNS servers (as everyone inside
However, despite that what I've found is that if we do an internal
lookup then the server caches the record (e.g. google.com). When I
then test from outside the network it still denies the recursive lookup
but provides the answer from cache.
My mission now is to try to prevent this cache lookup from outside our
network. The reason for that is because in a PCI compliance scan they
complain of "DNS Cache Snooping" being possible. Specifically they
reference this white paper:
From: Jeremy C. Reed [mailto:Jeremy_Reed at isc.org]
Sent: Tuesday, June 24, 2008 10:42 AM
To: Jeff Lightner
Cc: comp-protocols-dns-bind at isc.org
Subject: RE: Re: DNS Cache Snooping?
On Tue, 24 Jun 2008, Jeff Lightner wrote:
> My apologies - On rereading it I guess I misinterpreted what it said.
> It had mentioned BIND 9.3 then it said "Prior to BIND 9.4.1-P1" later
> then went back to a comment about BIND 9.3 so in my head "Prior to
> 9.4.1-P1" meant BIND 9.3 due to the mentions before and after.
No apologies needed. The wording was not clear. I have now added a
sentence to clarify when the new option was added.
Won't just using "allow-query" be good enough for you?
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
More information about the bind-users