Security Implications: DNS Recursive and Authoritative on Same Server
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Security Implications: DNS Recursive and Authoritative on Same Server

I've tried finding some real-world information about this without much success. If a single VPS runs an instance of bind9, I've read that it's a bad practice to run said instance as both recursive and authoritative. Instead, separate instances should be run--isolated from each other.

In named.conf.options if one were to do the following:

recursion yes;

allow-query {
    any;
};

allow-query-cache {
    localhost;
    localnets;
};

allow-recursion {
    localhost;
    localnets;
};

allow-transfer {
    none;
};

Wouldn't that effectively limit recursion to the host itself and allow responses from others to be limited to only the ones the server is authorative for?

What is the practical implications of such a setup? Why is it recommended to keep two separate installs of bind9 (or any DNS service) instead of just setting up restrictions like above?

Thanks.

Comments

  • The practical applications are serving only your zones from your nameservers, as is generally a good idea. Having a public recursing nameserver which serves other zones and your own is not suggested for security reasons, as well as a good way to keep your things mentally separate.

    I won't be back until @bsdguy is released.

  • In the above configuration my zones are served to everyone but recursion is only allowed on localhost (or localnets, if any). Which is the same net effect if I, for example, had two LXC containers: one for authoritative, one for internal recursion.

    Am I missing something?

    bind doesn't exactly use a lot of resources so I'm not against setting up things separately. And certainly I like, as you suggested, keeping things mentally separate. I just want to know why some articles I've read consider it a taboo to run both in the same instance.

  • I guess I don't understand why you're comparing running one daemon vs running two. I'd recommend keeping them separate. As I said, there are various reasons not to do so, most of which dealt with bind's lack of security in the past, as well as using your service as a simple DDoS against others. Don't expose more than your personal zones unless you know what you're doing.

    Do whatever you're going to do. Nobody cares until you're attacking them as a proxy.

    I won't be back until @bsdguy is released.

Sign In or Register to comment.