Article 14289 at 08/11/10 02:27:54 From: dan (at mark) dogsbody.org Subject: [coba-e:14289] Re: Cache snooping attacks, bind

Index: [Article Count Order] [Thread]

Date:  Sun, 09 Nov 2008 17:27:33 +0000
From:  Dogsbody <dan (at mark) dogsbody.org>
Subject:  [coba-e:14289] Re: Cache snooping attacks, bind
To:  coba-e (at mark) bluequartz.org
Message-Id:  <49171D85.3020604 (at mark) dogsbody.org>
In-Reply-To:  <239638.36219.qm (at mark) web65603.mail.ac4.yahoo.com>
References:  <239638.36219.qm (at mark) web65603.mail.ac4.yahoo.com>
X-Mail-Count: 14289

>> If have tried this with our servers and it works. Currently
>> the only reasonable fix I have seen for this is to upgrade
>> BIND unless someone here has a better idea.
> 
> Couldn't you wipe the cache with a cron job?

I guess that is rather avoiding the whole point of having a recursive 
DNS server.

How about just having two DNS servers an internal one that is "insecure" 
  and that external people cannot connect to and an external server that 
just hosts your external DNS and so will never cache things?

Dan