Hello, Are you letting your internal caching name server forward to an external one ?
This is *dangerous* - cache poisoning attacks in this setup have a higher chance of success than the scenario shown by Dan Kaminsky ! (the "window of opportunity" for success is *seconds*, rather than "fractions of seconds") I strongly advice not to forward to external, caching name servers. Or, if you do, also enable DNSSEC validation (and forward to an external name server that is at least "DNSSEC aware" - 8.8.8.8 is not, searches for DS records in the wrong place) Kind regards, Marc Lampo Security Officer EURid (for .eu) -----Original Message----- From: Marseglia, Michael [mailto:michael.marseg...@chartercare.org] Sent: 21 February 2012 10:20 PM To: bind-users@lists.isc.org Subject: RE: bind public/private domain question ... named.conf.options options { ... forwarders { 8.8.8.8; }; ... _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
