Hi John.
Let me add that NOT restricting what the resolver accepts from the
forwarder would be a security hole. In fact is _was_ a security hole in
BIND, see
[CVE-2021-25220] DNS Cache Poisoning Vulnerability
https://gitlab.isc.org/isc-projects/bind9/-/issues/2950
In your example 'baz.local'
Hi John.
The reason is step 4c here:
https://datatracker.ietf.org/doc/html/rfc1034#section-5.3.3
The A record in the response is for a name that BIND wasn't asked for
(otherwise why a CNAME at all?), so in the interests of not just believing
random answers that might potentially poison the cache,
We are asked to forward queries for foo.example.com to a set of private
resolvers. So we have something like this in our .conf
zone "foo.example.com" {type forward; forward only;
forwarders { 10.1.2.3; 10.1.4.5; };
};
And when queried for an A-record for bar.foo.example.com (and the
3 matches
Mail list logo