Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed
From: Dave Taht <dave.taht@gmail.com>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: "cerowrt-devel@lists.bufferbloat.net"
	<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
Date: Thu, 17 Apr 2014 14:19:51 -0700	[thread overview]
Message-ID: <CAA93jw42QF13bMy7diyRWHSWF24hT3yx9amd-NoVV2d6LgigVw@mail.gmail.com> (raw)
In-Reply-To: <5350412A.8010303@thekelleys.org.uk>

On Thu, Apr 17, 2014 at 2:01 PM, Simon Kelley <simon@thekelleys.org.uk> wrote:
> On 14/04/14 00:24, Dave Taht wrote:
>>
>>
>> So far as I know the caching functionality in dnsmasq in that instance
>> is disabled due to fears about cache poisoning, that I don't fully
>> understand. My half understood fear translates into equivalent fears
>> for other local dns daemons.
>>
>
> My understanding is that this relates to multi-user systems where the
> users share the cache  and run on the local machine.
>
> Essentially, if I can generate cache misses at will, ie by making
> queries, then I can synchronously flood the DNS cache with bogus answers
> to the query. Source-port randomisation doesn't help: a simple netstat
> or equivalent will tell me that, so the only protection is the 16-bit
> query-id, which is no protection at all: 64k UDP packets via the
> loopback interface can easily arrive before one from the wider internet.
>
> That allows a user to poison his own DNS, but if the cache is shared,
> then it allows him to also poison the DNS of any other user on the machine.
>
> The solution is per-user caches.

That is an interesting factoid to add to the discussion over on the
fedora list... does unbound do this?

>
>
> Simon.
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

  reply	other threads:[~2014-04-17 21:19 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-13  4:26 Dave Taht
2014-04-13  7:51 ` Török Edwin
2014-04-13 15:04   ` Dave Taht
2014-04-13 10:05 ` Toke Høiland-Jørgensen
2014-04-13 14:57   ` Dave Taht
2014-04-13 17:59   ` Chuck Anderson
2014-04-13 23:24     ` Dave Taht
2014-04-14  9:29       ` Aaron Wood
2014-04-17 21:01       ` Simon Kelley
2014-04-17 21:19         ` Dave Taht [this message]
2014-04-20 14:01     ` Chuck Anderson
2014-04-20 15:16       ` Valdis.Kletnieks
2014-04-20 15:41         ` Chuck Anderson
2014-04-13 16:16 ` dpreed
2014-04-13 16:40   ` Dave Taht
2014-04-13 17:57     ` Toke Høiland-Jørgensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAA93jw42QF13bMy7diyRWHSWF24hT3yx9amd-NoVV2d6LgigVw@mail.gmail.com \
    --to=dave.taht@gmail.com \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=simon@thekelleys.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox