As you suspect, this is a bad idea. Those who cannot query the server cannot poison the cache using the loopholes in the DNS protocol, i.e. put false data in your nameserver for names like www.google.com, www.yahoo.com, etc. There can be other impediments to poisoning the cache in this manner, but simply blocking such queries is an extremely effective way to to totally eliminate a huge number of potential poisoners.
On Jan 5, 2009, at 6:15 AM, Chris Henderson wrote:
I've setup a secondary name server which works as a secondary or slave name server for my zone or domain name. However, I have tested and noticed that I can query for non-authoritative answers from my secondary or slave name server from outside my network. That is, any one can use my name server to query any host name, eg. www.google.com, www.yahoo.com etc. Is this a bad idea? How can I stop this? Thanks for any suggestions. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
