Cache only and reverse mapping

sasa sasa sasasa20066 at
Fri Dec 16 16:22:36 UTC 2011

I'm trying to setup a DNS for an ISP, this ISP's DNS is in delegation tree (answering world), and I know about cache vulnerabilities so I was wondering what is the best solution for ISPs?
By separating cache from authorities, you mean implementing 2 DNSs (2 different IPs)? This doesn't sound practical.


On Dec 15, 2011, at 3:07 AM, sasa sasa wrote:

> For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones?

If this copy of the reverse zone is for the world's use (i.e. in the delegation tree), then your DNS server would
be answering queries from the world, and a caching server answering queries from the world is vulnerable to known
cache vulnerabilities in the DNS protocol.  On the other hand, if this copy of the reverse zone is only to answer
your customer's queries, and the DNS server is configured not to answer queries from the world, then you've avoided
the DNS protocol vulnerabilities and there's no special risk attached to serving this zone.

Aside from the issue of preventing known cache vulnerabilities in the DNS protocol, folks often separate
caching from authoritative (specifically, in the delegation tree) as an insurance policy against bugs and
vulnerabilities that haven't been found yet.  It's hard to quantify risks associated with bugs and vulnerabilities
that no one has found yet and may not even exist.

> Any other possible implementations?

We'd have to know what you're trying to accomplish.

John Wobus
Cornell U
Please visit to unsubscribe from this list

bind-users mailing list
bind-users at

More information about the bind-users mailing list