> On Oct 27, 2017, at 10:29 AM, Kris Deugau <kdeu...@vianet.ca> wrote:
>
>> There are two prerequisites for DANE verification to happen:
>>
>> 1. Your DNS resolver in /etc/resolv.conf needs to be a *validating*
>> DNS resolver and for any meaningful security must be either on
>> the loopback interface or reachable via a securely keyed IPsec
>> tunnel or similar.
>
> I'm curious how necessary this really is in the case of "many" servers
> all talking to a local cache on the same switch. Do I really have to set
> up IPsec tunnels for DANE-friendly DNS resolution on those machines
With UDP queries the attacker need not be on the same network, they just
need to forge UDP packets with a source address of the other server.
And you're exposed to anything else with access to the switch. In any
case, you don't need to query a remote cache when a local one works
just as well or better.
> Setting up a cache on each machine would be simpler, but then you lose
> the benefit of merging cached results from multiple requesting systems
No, you don't. Each local cache can forward to the same designated
cache you'd otherwise use directly. But, because the local caches
would have *validation* enabled, this is completely safe.
> - you end up either forwarding to another local cache anyway, o
> multiplying your external DNS lookup traffic by the number of servers
> in the cluster.
This is not the case. With validation in the local cache, it does not
matter what path DNSSEC-authenticated responses take to get to that
cache.
For full security with a local loopback cache, it may be necessary to
configure the system firewall to drop forged packets with 127.0.0.0/8
or ::1/128 source addresses arriving from non-loopback interfaces.
IIRC, not all operating systems will do this automatically.
--
Viktor.
