Maintained by: NLnet Labs

[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks

Ondřej Surý
Mon Feb 16 00:17:16 CET 2009


> I.e. if recursion is _not_ performed for any "foreign" queries then nobody
> outside of the networks "trusted" by the caching nameserver can succeed at
> this attack any more than they could succeed at using _any_ and _every_
> authoritative nameserver "normally".

Sorry, but you are wrong, f.e. see recent attack on ISPrime:

https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>