Sean Donelan wrote:
1. Separate your authoritative and recursive name servers 2. Recursive name servers should only get replies to their own DNS queries from the Internet, they can use both UDP and TCP
We've just completed a project to separate our authoritative and recursive servers and I have a couple notes... 1) For the recursive-only, we're using a combination of BIND's "query-source address a.b.c.d" and "listen-on e.f.g.h" in the hopes of providing some additional measure of protection against cache poisoning. The "listen-on" IPs are ACL'd at the borders so non-clients cannot get ANY packets to them. The "query-source address" itself doesn't appear in the "listen-on" list either and won't respond to queries. I know this isn't foolproof, but it probably raises the bar slightly against off-net poisoning attempts. 2) The biggest drawback to separation after years of service is that customers have come to expect their DNS changes are propagated instantly when they are on-net. This turns out to be more of an annoyance to us than our customers, since our zone is probably the most frequently updated. 3) I've gone so far as to remove the root hint zone from our auth-only boxes, again out of paranoia ("recursion no" does the trick, this is just an extra bit of insurance against someone flipping that bit due to a lack of understanding of the architecture). There is one third party we have to use an 'also-notify' by IP address in this case for their zone. Mike