From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <simon@thekelleys.org.uk>
Received: from bytemark.thekelleys.org.uk (bytemark.thekelleys.org.uk
	[IPv6:2001:41c8:51:46b:feff:ff:fe00:3310])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id DF49F21F224
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 17 Apr 2014 14:01:39 -0700 (PDT)
Received: from [213.205.227.240] (helo=[192.168.150.151])
	by bytemark.thekelleys.org.uk with esmtpa (Exim 4.80)
	(envelope-from <simon@thekelleys.org.uk>) id 1WatRA-0003b0-4m
	for cerowrt-devel@lists.bufferbloat.net; Thu, 17 Apr 2014 21:01:36 +0000
Message-ID: <5350412A.8010303@thekelleys.org.uk>
Date: Thu, 17 Apr 2014 22:01:30 +0100
From: Simon Kelley <simon@thekelleys.org.uk>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: cerowrt-devel@lists.bufferbloat.net
References: <CAA93jw41jCuc2UN0rB6WQdVz2qzOtEcoCS-Pm6czwLDU59uXqA@mail.gmail.com>	<1c739791-2058-4267-bc41-789496d74faf@email.android.com>	<20140413175940.GP16334@angus.ind.WPI.EDU>
	<CAA93jw7FoNdn0baGhOHFz6XJ1aY1oXsnA+Srn4p7+xa_AOgv2Q@mail.gmail.com>
In-Reply-To: <CAA93jw7FoNdn0baGhOHFz6XJ1aY1oXsnA+Srn4p7+xa_AOgv2Q@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 21:01:40 -0000

On 14/04/14 00:24, Dave Taht wrote:
>
> 
> So far as I know the caching functionality in dnsmasq in that instance
> is disabled due to fears about cache poisoning, that I don't fully
> understand. My half understood fear translates into equivalent fears
> for other local dns daemons.
> 

My understanding is that this relates to multi-user systems where the
users share the cache  and run on the local machine.

Essentially, if I can generate cache misses at will, ie by making
queries, then I can synchronously flood the DNS cache with bogus answers
to the query. Source-port randomisation doesn't help: a simple netstat
or equivalent will tell me that, so the only protection is the 16-bit
query-id, which is no protection at all: 64k UDP packets via the
loopback interface can easily arrive before one from the wider internet.

That allows a user to poison his own DNS, but if the cache is shared,
then it allows him to also poison the DNS of any other user on the machine.

The solution is per-user caches.


Simon.