On Sat, 31 Oct 2020 09:08:50 +0900
Simon Walter <simon@???> wrote:
> On 10/30/20 7:29 AM, Rick Moen wrote:
> ...
> > FWIW, I am no longer comfortable with the idea of a combined
> > authoritative/recursive server on a publicly exposed static IP.
> > That has been deprecated for long decades as bad security,
> > particularly because it increases the risk of cache poisoning of
> > the recursive server. IMO, a LAN connected to public networks,
> > even a small one, ought to have the authoritative service on a
> > separate, public-facing host, and the recursive service on a
> > protected, internal-network machine that is as shielded from public
> > networks as possible.
>
> Thanks for the bits of wisdom.
>
> Do you know any papers/articles/sites that discuss and explain this
> more?
>
> I have not updated my IT knowledge in years and am a bit thirsty.
When it comes to separation of authoritative and resolver parts of DNS,
the documentation from the old djbdns makes it very clear, and is an
excellent starting point.
SteveT
Steve Litt
Autumn 2020 featured book: Thriving in Tough Times
http://www.troubleshooters.com/thrive