From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id EE48E21F231 for ; Thu, 17 Apr 2014 14:19:55 -0700 (PDT) Received: by mail-wg0-f44.google.com with SMTP id m15so939718wgh.3 for ; Thu, 17 Apr 2014 14:19:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=/SzEG4ap8dPvdCmagtTAiHjKX/DxL4sJ5+kroBZGu6Y=; b=WL6oOknOvSX1/G5fslOJmKlZ9w2MY8UkjvBjwOADVVj4rwOtN/Q917k91Qsrq5kTwp 6dI+BFou+9TLT+unNSeC6MbRufG1A+elr+ou+97eCcEE3aezN9YSxaTv1oFxQMszihGM ll3EEsULXcvZ/rjP2sEOJeXemptMA54ZZJixui/Jqo4GfHTlvBeWGyVFsM0vSbDyBtT/ 5UAbY524wcghUQ0pBHSqHKm4xV0gNEygf/N8o/ri3uTrdXENWNk0As5hycZ6VjD3Ghqi VZGPG5z4+dQ7/S7zQOYGAQ3QwVGh+4MFv+Lv9tG/C9Rme64gBOTaIgY64HabBAC1p8BX xY0g== MIME-Version: 1.0 X-Received: by 10.180.81.138 with SMTP id a10mr25786193wiy.53.1397769591355; Thu, 17 Apr 2014 14:19:51 -0700 (PDT) Received: by 10.216.177.10 with HTTP; Thu, 17 Apr 2014 14:19:51 -0700 (PDT) In-Reply-To: <5350412A.8010303@thekelleys.org.uk> References: <1c739791-2058-4267-bc41-789496d74faf@email.android.com> <20140413175940.GP16334@angus.ind.WPI.EDU> <5350412A.8010303@thekelleys.org.uk> Date: Thu, 17 Apr 2014 14:19:51 -0700 Message-ID: From: Dave Taht To: Simon Kelley Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 21:20:37 -0000 On Thu, Apr 17, 2014 at 2:01 PM, Simon Kelley wro= te: > On 14/04/14 00:24, Dave Taht wrote: >> >> >> So far as I know the caching functionality in dnsmasq in that instance >> is disabled due to fears about cache poisoning, that I don't fully >> understand. My half understood fear translates into equivalent fears >> for other local dns daemons. >> > > My understanding is that this relates to multi-user systems where the > users share the cache and run on the local machine. > > Essentially, if I can generate cache misses at will, ie by making > queries, then I can synchronously flood the DNS cache with bogus answers > to the query. Source-port randomisation doesn't help: a simple netstat > or equivalent will tell me that, so the only protection is the 16-bit > query-id, which is no protection at all: 64k UDP packets via the > loopback interface can easily arrive before one from the wider internet. > > That allows a user to poison his own DNS, but if the cache is shared, > then it allows him to also poison the DNS of any other user on the machin= e. > > The solution is per-user caches. That is an interesting factoid to add to the discussion over on the fedora list... does unbound do this? > > > Simon. > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article