Poisoning "External" Cache with "Internal" Info

This is a discussion on Poisoning "External" Cache with "Internal" Info within the Bind Users forums, part of the DNS and Related Forums category; I'm having some problems that involve poisoning my own cache with data from an internal zone. I'll warn ...


Go Back   Usenet Forums > DNS and Related Forums > Bind Users

Reload this Page Poisoning "External" Cache with "Internal" Info

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-05-2004
Crist J. Clark
 
Posts: n/a
Default Poisoning "External" Cache with "Internal" Info
I'm having some problems that involve poisoning my own cache
with data from an internal zone.

I'll warn you right now, this setup is a kludge on top of some
other kludges. I have a DNS server that provides services to
internal clients, server A.internal.example.com. It sees (well,
it'supposed to) the Internet root servers for recursive queries,
plus it has a heap of internal zones for which it is authorative.
It is a master of some, a slave for others, and even is configured
to forward a zone (which is where the trouble begins).

The forwarded zone is being forwarded through an even "more
internal" DNS server, server B.way-internal.example.com This more
internal server does NOT use the Internet roots. It has been told
that it is authorative for ..

The problem is that when our server A.internal.example.com
forwards a query for this zone, example.ca,

example.ca IN ANY

To B.way-internal.example.com, B replies like so,

;; ANSWER SECTION:
example.ca. 3600 IN MX 10 mail.example.ca
example.ca 3600 IN MX 10.10.10.10

;; AUTHORITY SECTION:
ca. 86400 IN NS b.way-internal.example.com.

;; ADDITIONAL SECTION:
mail.example.com. 3600 IN A 10.10.10.11
b.way-internal.example.com. 3600 IN A 10.10.10.5

And now A.internal.example.com will actually believe that authority
information about the ca. TLD until it expires. Sorry, Canada, you
just dropped off the Internet as far as our Internet DNS can see.

Some additional, ugly, information. I cannot just do another slave
zone with this. B.way-internal.example.com is _also_ forwarding
this zone, and I really cannot change that. Getting that forwarding
to all work is why I needed to add records to make it authorative
for ca. in the first place. (With no ca. zone, I was getting a
SERVFAIL.)

There are so many things wrong with this setup, but I don't see
a better way. The basic drivers here are that the DNS server
that is authorative for example.ca will not do zone transfers,
thus I am forced to use forwarding. Second, A.internal.example.com
does not have access to that authorative server due to firewall
policies thus requiring that extra hop through B.way-internal.
Any ideas on how to get info on example.ca to A without poisining
my cache?
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 09:13 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0