|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: how to protect name servers against cache corruption
Isolating recursive from non-recursive servers has a ton of benefits: 1. measuring your external from internal queries becomes easier, hence budgeting for the appropriate servers has a cost matching ability 2. to use distributed director from cisco, you need non-recursive authoritative servers 3. your authoritative servers become less susceptible to corruption from a looped delegation, hence isolating your DNS problems to the recursive resolvers instead of taking down all your authoritative abilities etc. etc. Rob > > a BIND 4.9.6 or 8.1.1 server is immune. so, you could upgrade. to so do, > see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/. > (the root name servers are all running modern software at this point.) > > alternic's corruption works by locating authoritative name servers via the > "NS RR"'s published in various zones. if you run these as authoritative- > only (recursion disabled) then they will never fetch any data from anywhere. > (the root name servers are configured this way, for example.) the downside > is that you can't list such nameservers in your "resolv.conf" files or PC > equivilents (Control Panel\\Networking\\TCP IP Settings, or some such rot.) > this means you need more name servers if you separate recursive from non- > recursive. >
|