RE: Cache poisoning - DNS

This is a discussion on RE: Cache poisoning - DNS ; Right it has hints for root servers. OK so they are caching name servers in addition to being master/slaves if I read this correctly? In that case will the recursion setup mentioned prevent the poisoning? Nessus suggested I need to ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: RE: Cache poisoning

  1. RE: Cache poisoning

    Right it has hints for root servers. OK so they are caching name
    servers in addition to being master/slaves if I read this correctly?

    In that case will the recursion setup mentioned prevent the poisoning?
    Nessus suggested I need to upgrade to later BIND 9 or earlier BIND 8.
    Was there a version of BIND 9 that couldn't be fixed via such a
    recursion setup?

    -----Original Message-----
    From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
    Behalf Of Barry Margolin
    Sent: Friday, July 14, 2006 8:32 AM
    To: comp-protocols-dns-bind@isc.org
    Subject: Re: Cache poisoning

    In article ,
    "Jeff Lightner" wrote:

    > The BIND servers I'm talking about are a master and slave we use only
    > for external queries to our internet facing systems and for forwards

    to
    > the root servers from the inside (internally we have Windows DNS
    > servers).
    >
    > The question came up because our security admin ran a Nessus scan and

    it
    > indicated we're running a version of BIND susceptible to cache
    > poisoning. I'm going to upgrade the OS and the BIND on the servers in
    > question. I had asked to do this some months ago and the Nessus scan
    > helped me get the point across. However I was of the impression that
    > cache poisoning was only an issue on a caching name server and we

    aren't
    > running one. The responses you and Barry sent seem to confirm that.

    I
    > just wanted to know the urgency of doing the upgrade as approvals flow
    > like molasses around here.


    What do you mean by "forwards to the root servers from the inside"? You

    can't really use the root servers as forwarders, so I assume you mean it

    has root hints configured, and uses this to look up outside domains on
    behalf of queries coming from inside. This *is* a caching name server.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***




  2. Re: Cache poisoning

    Hello,

    Jeff Lightner a écrit :
    > Right it has hints for root servers. OK so they are caching name
    > servers in addition to being master/slaves if I read this correctly?


    Maybe, maybe not. It depends on the recursion setup.

    > In that case will the recursion setup mentioned prevent the poisoning?


    No. It would only prevent external users from doing recursive queries
    which could cause cache poisoning. But it would not prevent internal
    users from doing so, nor external users from retrieving poisoned data
    from the cache.



+ Reply to Thread