Best practices securing DNS (continued)


The internal resolving name server must provide recursion, and is therefore somewhat more susceptible to attack since it must accept data from other DNS servers. Additional protection of the resolving name server can be provided via other means such as packet filtering and restricting the server to respond only to known hosts. 

In this manner, if the resolving server were to be compromised or its cache poisoned, the advertising server's authoritative zone information would be unaffected, thus limiting the potential damage. 

Similarly, if the resolving name servers are also configured to be authoritative for internal zones, a compromise of the advertising name server would not affect the normal operation of the internal clients of the resolving name servers.