disabling lame server logging

Daniel McDonald dan.mcdonald at austinenergy.com
Tue Feb 26 16:57:31 UTC 2013


On 2/26/13 10:43 AM, "Sten Carlsen" <stenc at s-carlsen.dk> wrote:

>    
>  
> On 26/02/13 15:50, Robert Moskowitz wrote:
>  
>  
>>  
>>  I would expect that a namecaching server on the mailserver would reduce
>> traffic and resources all the way around.
>>  
>>  I don't need my mailserver to constantly be asking my name server about,
>> say, zen.spamhaus.org.
>>  
>  This is one reason my mailserver has a DNS server. No forward, that only
> slows down things.
>  The question here is whether there is a good reason that this instance must
> not go directly to the roots?

In my opinion mail servers that receive outside mail should point to root
servers and nothing internally.  Particularly if you have spam filtering
that relies on any sort of dns lookup.  A message will cause a spam filter
to produce a predictable set of queries, so someone who can come up with a
bind vulnerability can force your mail server to make potentially vulnerable
requests.  If the vulnerability involves cache poisoning, then the malware
authors would be able to pollute your internal DNS by convincing your spam
filter to query crafted entries.

That's not to say that there is currently any cache-poisoning vulnerability
that someone might exploit, or that any current malware makes use of this
two-phase approach to exploit desktops.  But why take the risk when setting
up bind as a recursive server pointing at roots is so trivial?



-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281




More information about the bind-users mailing list