BIND offer more configuration
options than Microsoft DNS. One example is the dealing with recursive queries.
Recursive queries can present a major threat to DNS servers as they can be used to implement cache poisoning attack (check out this). So as design best practice, recursive queries should be permitted only from trusted sources.
As depicted in the following design, only iterative queries are permitted from Internet
With BIND it is possible to
restrict recursive queries from only trusted sources. This is done in /etc/bind/named.conf file by adding the
following configuration
Options {
Allow-recursion { trusted_ip_addresse}
};
Microsoft DNS doesn’t have
such granularity, you can only disable recursive queries not restrict them
Recursive queries can present a major threat to DNS servers as they can be used to implement cache poisoning attack (check out this). So as design best practice, recursive queries should be permitted only from trusted sources.
As depicted in the following design, only iterative queries are permitted from Internet
Options {
Allow-recursion { trusted_ip_addresse}
};
No comments:
Post a Comment