Cache only and reverse mapping
John Wobus
jw354 at cornell.edu
Fri Dec 16 15:23:49 UTC 2011
On Dec 15, 2011, at 3:07 AM, sasa sasa wrote:
> For an ISP, is there any risk in configuring BIND DNS as cache only
> and adding customer's reverse mapping zones?
If this copy of the reverse zone is for the world's use (i.e. in the
delegation tree), then your DNS server would
be answering queries from the world, and a caching server answering
queries from the world is vulnerable to known
cache vulnerabilities in the DNS protocol. On the other hand, if this
copy of the reverse zone is only to answer
your customer's queries, and the DNS server is configured not to
answer queries from the world, then you've avoided
the DNS protocol vulnerabilities and there's no special risk attached
to serving this zone.
Aside from the issue of preventing known cache vulnerabilities in the
DNS protocol, folks often separate
caching from authoritative (specifically, in the delegation tree) as
an insurance policy against bugs and
vulnerabilities that haven't been found yet. It's hard to quantify
risks associated with bugs and vulnerabilities
that no one has found yet and may not even exist.
> Any other possible implementations?
We'd have to know what you're trying to accomplish.
John Wobus
Cornell U
More information about the bind-users
mailing list