On 21/02/13 08:28, curriegrad2004 wrote:
> On Wed, Feb 20, 2013 at 10:16 PM, Todd And Margo Chester
> <[log in to unmask]> wrote:
>> Hi All,
>>
>> I can not get frontier's DNS servers to resolve
>> releases.mozilla.org.  So, in my /etc/named.conf
>> I commented out frontier's DNS servers and substituted
>> Google's (8.8.8.8) and Open DNS' (208.67.222.222).
>>
>>         # forwarders { 216.67.192.3; 74.40.37.242; };
>>         # forwarders { 74.40.74.40; 74.40.74.41; };
>>         forwarders { 8.8.8.8; 208.67.222.222; };
>>
>> Am I making a security mistake here?
>>
>> Many thanks,
>> -T
>
> From a security perspective, I would seriously not even bother
> querying anybody's DNS servers but rather have BIND to become a full
> recursive DNS server using only the root hints provided by IANA.
> 
> Unless frontier is hijacking DNS (port 53) traffic, I'd strongly
> recommend using the method mentioned above.

+1 ... Set up your local bind installation as a caching server.  Which
should be the default on a EL6 installation ... you just need to ensure
that you have this section in your /etc/named.conf ... and then you can
ditch the forwarders completely:

  zone "." IN {
      type hint;
      file "named.ca";
  };

And please avoid the typical mistake of disabling DNSSEC (which 98% of
all Internet blogs suggest).  DNSSEC usually works out-of-the-box on a
EL6 installation.


--
kind regards,

David Sommerseth