From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bytemark.thekelleys.org.uk (bytemark.thekelleys.org.uk [IPv6:2001:41c8:51:46b:feff:ff:fe00:3310]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id DF49F21F224 for ; Thu, 17 Apr 2014 14:01:39 -0700 (PDT) Received: from [213.205.227.240] (helo=[192.168.150.151]) by bytemark.thekelleys.org.uk with esmtpa (Exim 4.80) (envelope-from ) id 1WatRA-0003b0-4m for cerowrt-devel@lists.bufferbloat.net; Thu, 17 Apr 2014 21:01:36 +0000 Message-ID: <5350412A.8010303@thekelleys.org.uk> Date: Thu, 17 Apr 2014 22:01:30 +0100 From: Simon Kelley User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: cerowrt-devel@lists.bufferbloat.net References: <1c739791-2058-4267-bc41-789496d74faf@email.android.com> <20140413175940.GP16334@angus.ind.WPI.EDU> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 21:01:40 -0000 On 14/04/14 00:24, Dave Taht wrote: > > > So far as I know the caching functionality in dnsmasq in that instance > is disabled due to fears about cache poisoning, that I don't fully > understand. My half understood fear translates into equivalent fears > for other local dns daemons. > My understanding is that this relates to multi-user systems where the users share the cache and run on the local machine. Essentially, if I can generate cache misses at will, ie by making queries, then I can synchronously flood the DNS cache with bogus answers to the query. Source-port randomisation doesn't help: a simple netstat or equivalent will tell me that, so the only protection is the 16-bit query-id, which is no protection at all: 64k UDP packets via the loopback interface can easily arrive before one from the wider internet. That allows a user to poison his own DNS, but if the cache is shared, then it allows him to also poison the DNS of any other user on the machine. The solution is per-user caches. Simon.