bind public/private domain question
Marc Lampo
marc.lampo at eurid.eu
Wed Feb 22 07:47:09 UTC 2012
Hello,
Are you letting your internal caching name server forward to an external
one ?
This is *dangerous* - cache poisoning attacks in this setup have
a higher chance of success than the scenario shown by Dan Kaminsky !
(the "window of opportunity" for success is *seconds*,
rather than "fractions of seconds")
I strongly advice not to forward to external, caching name servers.
Or, if you do, also enable DNSSEC validation
(and forward to an external name server that is at least "DNSSEC aware"
- 8.8.8.8 is not, searches for DS records in the wrong place)
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
-----Original Message-----
From: Marseglia, Michael [mailto:Michael.marseglia at chartercare.org]
Sent: 21 February 2012 10:20 PM
To: bind-users at lists.isc.org
Subject: RE: bind public/private domain question
...
named.conf.options
options {
...
forwarders { 8.8.8.8; };
...
More information about the bind-users
mailing list