Re: [ga] Rogue (Fraudulent) DNS Servers?
http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html The researchers estimate that there are 17 million open-recursive DNS servers If you are running Bind it is possible to create "views" that will, I believe, defeat this concern. (Of course, if the underlying OS is Windoz all bets are off.) On my own resolvers I have an external view in which my resolvers will answer queries only for names for which my servers are authoritative. Unless a query source qualifies for my internal view, below, it gets the external treatment - which means that if you ask one of my servers for some j-random name that isn't one of mine it'll tell you to go pound sand. I have an internal view which is available to machines on my address blocks (and a few others). In that view my resolvers will do a lookup on any query name. It's not too hard to set this up - bit not trivial. For example, take a look at http://www.cymru.com/Documents/secure-bind-template.html --karl--
|