Cache only and reverse mapping

John Wobus jw354 at
Fri Dec 16 17:18:00 UTC 2011

On Dec 16, 2011, at 11:22 AM, sasa sasa wrote:
> I'm trying to setup a DNS for an ISP, this ISP's DNS is in  
> delegation tree (answering world), and I know about cache  
> vulnerabilities so I was wondering what is the best solution for ISPs?
> By separating cache from authorities, you mean implementing 2 DNSs  
> (2 different IPs)? This doesn't sound practical.

Then I suspect you know all this, but...

The practicality certainly depends upon your site's situation.  Many
sites have enough IPs to allocate a few more to DNS, and enough server
capacity to run more bind instances, but I imagine some don't.

Two such bind instances could be on different hardware or the same,
but two IPs would be necessary.  Bind typically runs on OSes that,  
tricks such as natting, generally support just one program listening  
to a specific
port/ip.  Bind's "view" feature allows a single bind instance on a  
single IP to
act like a bit like two instances, offering some of the advantages of  
their respective functions.

Aside from this, a bind instance can be configured not answer queries
to non-authoritative data from outside your address space.  This also  
you some of the risk advantages you'd get from running separate  

John Wobus
Cornell University

More information about the bind-users mailing list