Sean Donelan wrote:
1. Separate your authoritative and recursive name servers
2. Recursive name servers should only get replies to their own DNS
queries from the Internet, they can use both UDP and TCP
We've just completed a project to separate our authoritative and
recursive servers and I have a couple notes...
1) For the recursive-only, we're using a combination of BIND's
"query-source address a.b.c.d" and "listen-on e.f.g.h" in the hopes of
providing some additional measure of protection against cache poisoning.
The "listen-on" IPs are ACL'd at the borders so non-clients cannot get
ANY packets to them. The "query-source address" itself doesn't appear in
the "listen-on" list either and won't respond to queries. I know this
isn't foolproof, but it probably raises the bar slightly against off-net
poisoning attempts.
2) The biggest drawback to separation after years of service is that
customers have come to expect their DNS changes are propagated instantly
when they are on-net. This turns out to be more of an annoyance to us
than our customers, since our zone is probably the most frequently updated.
3) I've gone so far as to remove the root hint zone from our auth-only
boxes, again out of paranoia ("recursion no" does the trick, this is
just an extra bit of insurance against someone flipping that bit due to
a lack of understanding of the architecture). There is one third party
we have to use an 'also-notify' by IP address in this case for their zone.
Mike
