I have a question regarding the mitigation of Kaminsky's and the older cache poisoning exploits. It has been documented that using your upstream provider's resolvers can help against these types of attacks.
I currently have the following statement in our external name server's named.conf file (the addresses have been change for obvious reasons):
options {
directory "/usr/local/named";
allow-transfer { none; };
allow-recursion { 172.20/16(internal IP range); xxx.xxx/16(external IP range);10.10.10.10; 10.10.10.20; 10.20.20.20; 10.20.20.10; };
version "Not Available";
pid-file "/usr/local/named/named.pid";
query-source address * port 53;
};
According to some of the docs I've read on the internet, to forward to a patched name server you should add these statements to your named.conf options field.
options {
// only use forwarders; don't lookup on own
forward only;
// replace with IPs for your secure forwarders
forwarders { 192.168.100.12; 10.0.54.5; };
};
My question is, do I completely remove the allow-recursion statements and replace with the forward only values? Or, do I just remove the external IP range from my current "allow-recursion" field and keep the restrictions for my internal NAT'ed addresses? Also, should I change the query-source values, or remove them also?
Thanks for any help,
Neurotoxx