Re: Unapproved updates
From: Scott Gifford (sgifford@suspectclass.com)Date: 11/16/01
- Previous message: Fab Siciliano: "Unapproved updates"
- Maybe in reply to: Fab Siciliano: "Unapproved updates"
- Next in thread: Phil Brutsche: "Re: Unapproved updates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Fab Siciliano" <fsiciliano@optiumcorp.com> Subject: Re: Unapproved updates From: Scott Gifford <sgifford@suspectclass.com> Date: 16 Nov 2001 12:17:50 -0500 Message-ID: <lyd72iprcx.fsf@gfn.org>
"Fab Siciliano" <fsiciliano@optiumcorp.com> writes:
> Hey everybody,
>
> I just recently started seeing all these unapproved updates hitting my
> dns server in /var/log/messages. Is this a security risk? Do I need to
> allow updates if it's a secondary dns server? If I don't allow updates,
> then there would be no point to direct users to it...right? Because it
> wouldn't be caching other hosts' info. Am I right on this or WAY OFF?
> Thanks,
By "secondary", do you mean a caching-only server, or a slave server
for one or more DNS zones?
If it's a caching-only server, you shouldn't be accepting updates at
all. DNS doesn't use updates to notify name servers of changes in
normal use; it uses timeouts and asking for the data again.
If it's a slave server for one or more DNS zones, it should accept
some updates. You'll need to talk to the people operating the master
server it's receiving updates from to know what to expect; generally
you'll allow updates to particular zones from particular IP
addresses. Newer versions of some DNS software (notably BIND) have
more complex authentication mechanisms, although as far as I know they
aren't used all that widely.
Good luck,
----ScottG.
- Previous message: Fab Siciliano: "Unapproved updates"
- Maybe in reply to: Fab Siciliano: "Unapproved updates"
- Next in thread: Phil Brutsche: "Re: Unapproved updates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
