Re: Behavior of 'forward only' zone

2024-08-20 Thread Petr Špaček
Hi John. Let me add that NOT restricting what the resolver accepts from the forwarder would be a security hole. In fact is _was_ a security hole in BIND, see [CVE-2021-25220] DNS Cache Poisoning Vulnerability https://gitlab.isc.org/isc-projects/bind9/-/issues/2950 In your example 'baz.local'

Re: Behavior of 'forward only' zone

2024-08-20 Thread Greg Choules via bind-users
Hi John. The reason is step 4c here: https://datatracker.ietf.org/doc/html/rfc1034#section-5.3.3 The A record in the response is for a name that BIND wasn't asked for (otherwise why a CNAME at all?), so in the interests of not just believing random answers that might potentially poison the cache,

Behavior of 'forward only' zone

2024-08-20 Thread John Thurston
We are asked to forward queries for foo.example.com to a set of private resolvers. So we have something like this in our .conf zone "foo.example.com" {type forward; forward only;     forwarders { 10.1.2.3; 10.1.4.5; }; }; And when queried for an A-record for bar.foo.example.com (and the