Linode Forum :: DNS security

Linode Forum https://forum.linode.com/

DNS security https://forum.linode.com/viewtopic.php?f=19&t=7618	Page 1 of 1

Author:	Danrr [ Wed Aug 24, 2011 1:40 am ]
Post subject:	DNS security
If using DNS, how concerned should I be about DNS security issues such as cache poisoning and cache snooping? According to Linode, "Our DNS platform is secure, especially when communicating over the private network." I'm not sure how to assess how secure is "secure". The "especially" part of that sentence makes me wonder what aspect of it is less secure than optimally secure. Using IP addresses is not a good alternative because the nature of the application would make it hard to migrate to new IP addresses at another hosting company if circumstances dictated a need to migrate.

Author:	hoopycat [ Wed Aug 24, 2011 8:02 am ]
Post subject:
If absolute assurance is required, deploying DNSSEC may be appropriate for your zones. That, along with DNSSEC-aware recursive nameservers, is the "best" way to ensure that recursive nameservers provide the correct answer. For a more realistic answer , the first part of your question makes it sound like you're concerned about Linode's recursive nameservers (the ones in your resolv.conf), but the second part makes it sound like you're concerned about Linode's authoritative nameservers (the ones you point your domain at). The latter are, strictly speaking, not susceptible to cache attacks as they aren't recursive nameservers. The former, as with all other recursive nameservers, are at least a little bit susceptible. The situation used to be worse, but there have been improvements in recent years with how recursive nameserver software operates. There is nothing you can do about your end users' recursive nameservers other than transitioning to DNSSEC and hope they've got secure connections to nameservers that support and validate DNSSEC. This is not common.

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/