DNS Cache Snooping?

Chris Buxton cbuxton at menandmice.com
Tue Jun 24 17:29:06 UTC 2008

Reading over this thread, I've been dismayed by the number of  
responses that were based on a misreading of your original post.

There are two solutions that do not involve upgrading to 9.4.1-P1 or  

1. Suggested by Jeremy Reed already, set "allow-query  
{ internaldns; };" in your options statement, and then set "allow- 
query { any; };" in each zone statement. Tedious to maintain, which is  
why 9.4.x introduced the allow-query-cache mechanism (which they then  
later set to default to the value of allow-recursion, which makes much  
better sense).

2. As you suggested, stop forwarding. Forwarding is a bad idea here,  
as is often the case. Your external authoritative name servers (your  
BIND servers) should not also be performing recursion. Instead, just  
turn off forwarding on your MS DNS servers (your internal resolvers).  
You asked, "If so any clue on how to do that?" Yes: Just turn off  
forwarding. It will probably just work from there. You may have to  
tweak settings on your firewall to allow outbound queries from your MS  
DNS servers. You should be able to find this forwarding setting in the  
server's options or properties - I forget exactly where Microsoft puts  
it (because I'm used to our product's interface for MS DNS).

Chris Buxton
Professional Services
Men & Mice

On Jun 23, 2008, at 4:26 PM, Jeff Lightner wrote:

> I'm looking at a scan done to help us achieve PCI Compliance.
> On my external facing DNS servers it talks about "DNS Cache Snooping".
> They point to a document written in 2004 so I'm guessing it is a  
> little
> out of date.
> On doing searches on the subject I'm finding pretty much the same
> document on or quoted on various sites.
> None of them really seem to say anything about how current BIND
> implementation (e.g. 9.3.4 P1) could be modified.
> I have prevented recursive lookups from outside.  However on doing  
> test
> I have confirmed that recent recursive lookups from inside do in fact
> cause the servers to cache the records and subsequent digs from  
> outside
> while confirming recursive lookup was denied do get the same record  
> from
> cache as was returned on the original lookup from inside.
> Note that we are using what is being recommended as "Split DNS"  
> already.
> i.e. The servers I'm speaking of only advertise those external facing
> domains we want to be visible.  The internal lookups are all done by
> Windows DNS servers and those only refer external lookups (root hints)
> to the external DNS servers.
> Is this really a concern I should address?
> If so do I just need to turn off caching on my BIND servers  
> completely?
> If so what is the best way to do that?
> Would it be better to try to configure the Windows DNS servers to do
> their own external lookups without going through my BIND servers?   
> If so
> any clue on how to do that?
> FYI:  I did search the archives which don't seem to mention this at  
> all.
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or  
> confidential information and is for the sole use of the intended  
> recipient(s). If you are not the intended recipient, any disclosure,  
> copying, distribution, or use of the contents of this information is  
> prohibited and may be unlawful. If you have received this electronic  
> transmission in error, please reply immediately to the sender that  
> you have received the message in error, and delete it. Thank you.
> ----------------------------------

More information about the bind-users mailing list