On Tue, 20 Aug 2002 20:55:31 +0300 "Odhiambo G. Washington" <wash@???> wrote:
> * Suresh Ramasubramanian <mallet@???> [20020820 20:29]: wrote:
> > Approach it from the other direction - have a caching only nameserver
> setup
> > locally. and/or hardwire entries into /etc/hosts.
> I have a fully fledged name server running on that box ;)
> You are against that?
good security practice suggests that you should have dedicated boxes
serving as non-recursive, non-caching authoriative name servers that
provide no other services, and then run non-authoritative,
recursive/caching nameservers on other boxes.
DNS cache poisoning is a bitch. limit the potential damage. you don't need
much of a computer to meet the authoritive DNS needs of most businesses.
it's a good place to use an old pentium or pentium 2.
richard
--
Richard Welty
rwelty@??? Averill Park Networking
rwelty@??? Unix, Linux, IP Network Engineering, Security
rwelty@??? 518-573-7592
