HPE Community
Operating System - Linux
1753666 Members
5879 Online
108799 Solutions
New Discussion юеВ

Re: non-authoritative answer

 
SOLVED
Go to solution
lastgreatone
Regular Advisor

тАО12-31-2001 06:44 AM

тАО12-31-2001 06:44 AM

non-authoritative answer

I have installed a linux box in the dmz and added the relative domain and dns entries in resolv.conf. When I run nslookup from the linux box to a sub-dns inside the firewall I get non-authoritative answer which I understand means the sub-dns is not cached in the DMZ DNS database, correct? My question is, is this a security issue?
0 Kudos
Reply
4 REPLIES 4
Manoj Kumar Sarangi
Advisor

тАО01-01-2002 10:55 PM

тАО01-01-2002 10:55 PM

Re: non-authoritative answer

Hi,
Its very natural to behave in this way, and ther is no obvious security implications to it. You can have a look at the security and vulnerability trends at
http://www.cert.org/present/cert-overview-trends/

Manoj
0 Kudos
Reply
oiram
Regular Advisor

тАО01-04-2002 07:05 AM

тАО01-04-2002 07:05 AM

Re: non-authoritative answer

Hi,

This could be a security issue if the parent server of your DNS is not secure(I think it should be out oy your own network). For example a hacker can hang that DNS and substitute it so he would be able to send you wherever he wants(for example a false page of Deutsche Bank). This can happen in any DNS from your DNS to the root servers but you can??t make anything about this. If you need to comunicate with some web site in a secure way use certificates.

I hope this help.



0 Kudos
Reply
Kodjo Agbenu
Honored Contributor

тАО01-07-2002 04:45 PM

тАО01-07-2002 04:45 PM

Re: non-authoritative answer

Hello,

I completely agree with the previous answer.

What I would suggest :

Never put the reference DNS zones (aka primary or master or authoritative) in the DMZ. The Linux box in your DMZ should be a secondary (secondary) DNS server. It should synchronize with a primary server in your intranet through the firewall.

To achieve this synchronization in a secure way, use cryptographic keys (available with BIND 8 and above). Read the named.conf manpage to learn more on this.

Good luck.

Kodjo
Learn and explain...
Reply
ramesh_6
Frequent Advisor

тАО01-09-2002 08:29 PM

тАО01-09-2002 08:29 PM

Solution

Re: non-authoritative answer

Hi,
What nslookup is telling you is that the DNS server for the machine you are running nslookup on, is not one of the registered authoritative nameservers for your domain. When nslookup starts, it lists the nameserver it is using as a default. By rights that wont be one of your registered nameservers.
If it is, you need to check your Internic records. If it is you need to
check your zone files and particularly the NAMED.CONF file to make sure the
sure file are being loaded (primary) or transferred (secondary)


Regds
Ramesh
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.