From: Dave Taht <dave.taht@gmail.com>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
Date: Thu, 17 Apr 2014 14:19:51 -0700 [thread overview]
Message-ID: <CAA93jw42QF13bMy7diyRWHSWF24hT3yx9amd-NoVV2d6LgigVw@mail.gmail.com> (raw)
In-Reply-To: <5350412A.8010303@thekelleys.org.uk>
On Thu, Apr 17, 2014 at 2:01 PM, Simon Kelley <simon@thekelleys.org.uk> wrote:
> On 14/04/14 00:24, Dave Taht wrote:
>>
>>
>> So far as I know the caching functionality in dnsmasq in that instance
>> is disabled due to fears about cache poisoning, that I don't fully
>> understand. My half understood fear translates into equivalent fears
>> for other local dns daemons.
>>
>
> My understanding is that this relates to multi-user systems where the
> users share the cache and run on the local machine.
>
> Essentially, if I can generate cache misses at will, ie by making
> queries, then I can synchronously flood the DNS cache with bogus answers
> to the query. Source-port randomisation doesn't help: a simple netstat
> or equivalent will tell me that, so the only protection is the 16-bit
> query-id, which is no protection at all: 64k UDP packets via the
> loopback interface can easily arrive before one from the wider internet.
>
> That allows a user to poison his own DNS, but if the cache is shared,
> then it allows him to also poison the DNS of any other user on the machine.
>
> The solution is per-user caches.
That is an interesting factoid to add to the discussion over on the
fedora list... does unbound do this?
>
>
> Simon.
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
next prev parent reply other threads:[~2014-04-17 21:19 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-13 4:26 Dave Taht
2014-04-13 7:51 ` Török Edwin
2014-04-13 15:04 ` Dave Taht
2014-04-13 10:05 ` Toke Høiland-Jørgensen
2014-04-13 14:57 ` Dave Taht
2014-04-13 17:59 ` Chuck Anderson
2014-04-13 23:24 ` Dave Taht
2014-04-14 9:29 ` Aaron Wood
2014-04-17 21:01 ` Simon Kelley
2014-04-17 21:19 ` Dave Taht [this message]
2014-04-20 14:01 ` Chuck Anderson
2014-04-20 15:16 ` Valdis.Kletnieks
2014-04-20 15:41 ` Chuck Anderson
2014-04-13 16:16 ` dpreed
2014-04-13 16:40 ` Dave Taht
2014-04-13 17:57 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw42QF13bMy7diyRWHSWF24hT3yx9amd-NoVV2d6LgigVw@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=simon@thekelleys.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox