I’m prepping for a DNS server (bind) upgrade at work. Part of that includes updating our configurations to be more secure, which includes adding an ACL so only allowed campus hosts can use us as a recursive name server. (Meaning only our clients can ask our server to ask other servers for DNS information. We’ll answer for our zones to anyone, but only lookup cnn.com for our clients.)

That’s working well in my testbed, but I uncovered the quirk that the allow-recursion ACL is ignored if the request is in the cache on the server. That means as long as one of my allowed clients has looked up cnn.com, and that entry validly exists in the cache, any client anywheres can ask my server about it. “Oh, you want cnn.com, sure I know that.” I’m torn because as a librarian I like that — information is free, it worked for me so let me tell you about it, etc. It’s that general nature of giving and sharing that makes DNS and the Internet work (assuming we lived in a world where nothing was exploited/hacked/spoofed/abused/etc., in other words, the world we don’t live in, and thus the need to secure things.) The sysadmin in me doesn’t like this because it’s too inconsistent. My server will return queries for slashdot.org to the world as long as someone inside my network looked up slashdot.org recently. Ick. Who wants to troubleshoot that? It starts to explain why modern DNS server practices include caching servers inside the organization that only inside clients can access, and iterative-only (meaning just the zones I serve) servers on the outside. Here, we have one set of servers doing both, but because it checks the cache before the ACLs, it doesn’t follow its ACL rules consistently. Seems like a bad design to me.