Cache only and reverse mapping

John Wobus jw354 at
Fri Dec 16 15:23:49 UTC 2011

On Dec 15, 2011, at 3:07 AM, sasa sasa wrote:
> For an ISP, is there any risk in configuring BIND DNS as cache only  
> and adding customer's reverse mapping zones?

If this copy of the reverse zone is for the world's use (i.e. in the  
delegation tree), then your DNS server would
be answering queries from the world, and a caching server answering  
queries from the world is vulnerable to known
cache vulnerabilities in the DNS protocol.  On the other hand, if this  
copy of the reverse zone is only to answer
your customer's queries, and the DNS server is configured not to  
answer queries from the world, then you've avoided
the DNS protocol vulnerabilities and there's no special risk attached  
to serving this zone.

Aside from the issue of preventing known cache vulnerabilities in the  
DNS protocol, folks often separate
caching from authoritative (specifically, in the delegation tree) as  
an insurance policy against bugs and
vulnerabilities that haven't been found yet.  It's hard to quantify  
risks associated with bugs and vulnerabilities
that no one has found yet and may not even exist.

> Any other possible implementations?

We'd have to know what you're trying to accomplish.

John Wobus
Cornell U

More information about the bind-users mailing list