RE: Cache poisoning - DNS

This is a discussion on RE: Cache poisoning - DNS ; The BIND servers I'm talking about are a master and slave we use only for external queries to our internet facing systems and for forwards to the root servers from the inside (internally we have Windows DNS servers). The question ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: RE: Cache poisoning

  1. RE: Cache poisoning

    The BIND servers I'm talking about are a master and slave we use only
    for external queries to our internet facing systems and for forwards to
    the root servers from the inside (internally we have Windows DNS
    servers).

    The question came up because our security admin ran a Nessus scan and it
    indicated we're running a version of BIND susceptible to cache
    poisoning. I'm going to upgrade the OS and the BIND on the servers in
    question. I had asked to do this some months ago and the Nessus scan
    helped me get the point across. However I was of the impression that
    cache poisoning was only an issue on a caching name server and we aren't
    running one. The responses you and Barry sent seem to confirm that. I
    just wanted to know the urgency of doing the upgrade as approvals flow
    like molasses around here.

    -----Original Message-----
    From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
    Behalf Of David Miller
    Sent: Friday, July 14, 2006 12:40 AM
    To: bind-users@isc.org
    Subject: Re: Cache poisoning

    If you provide a caching name server(most normal corporate/public
    networks do) than it can be poisoned with bad entries. One way to be
    a good citizen on the net is to not allow recursion outside your
    network. This way if your cache is poisoned you won't be contributing
    to the problem outside your own network. It is as simple as setting
    up an ACL for the subnets you control. for example.

    acl "internal" { 10.1.1.0/24; };

    options {
    allow-recursion { internal; };
    };


    On Jul 13, 2006, at 10:39 AM, Jeff Lightner wrote:

    > Is cache poisoning an issue for standard master/slave name servers or
    > only for caching name servers?
    > Jeffrey C. Lightner
    > Unix Systems Administrator
    > DS Waters of America, LP
    > 678-486-3516
    >
    >
    >
    >







  2. Re: Cache poisoning

    In article ,
    "Jeff Lightner" wrote:

    > The BIND servers I'm talking about are a master and slave we use only
    > for external queries to our internet facing systems and for forwards to
    > the root servers from the inside (internally we have Windows DNS
    > servers).
    >
    > The question came up because our security admin ran a Nessus scan and it
    > indicated we're running a version of BIND susceptible to cache
    > poisoning. I'm going to upgrade the OS and the BIND on the servers in
    > question. I had asked to do this some months ago and the Nessus scan
    > helped me get the point across. However I was of the impression that
    > cache poisoning was only an issue on a caching name server and we aren't
    > running one. The responses you and Barry sent seem to confirm that. I
    > just wanted to know the urgency of doing the upgrade as approvals flow
    > like molasses around here.


    What do you mean by "forwards to the root servers from the inside"? You
    can't really use the root servers as forwarders, so I assume you mean it
    has root hints configured, and uses this to look up outside domains on
    behalf of queries coming from inside. This *is* a caching name server.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***



  3. Re: Cache poisoning


    "Jeff Lightner" wrote in message
    news:e98272$2h9$1@sf1.isc.org...
    > The BIND servers I'm talking about are a master and slave we use only
    > for external queries to our internet facing systems and for forwards to
    > the root servers from the inside (internally we have Windows DNS
    > servers).
    >
    > The question came up because our security admin ran a Nessus scan and it
    > indicated we're running a version of BIND susceptible to cache
    > poisoning.


    That barely perceptible dimming of your light fixtures happened to be a
    thousand script kids turning on their boxes and aiming in your general
    direction


    jcj





+ Reply to Thread