[Cerowrt-devel] Full blown DNSSEC by default?

Dave Taht dave.taht at gmail.com
Thu Apr 17 17:19:51 EDT 2014


On Thu, Apr 17, 2014 at 2:01 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 14/04/14 00:24, Dave Taht wrote:
>>
>>
>> So far as I know the caching functionality in dnsmasq in that instance
>> is disabled due to fears about cache poisoning, that I don't fully
>> understand. My half understood fear translates into equivalent fears
>> for other local dns daemons.
>>
>
> My understanding is that this relates to multi-user systems where the
> users share the cache  and run on the local machine.
>
> Essentially, if I can generate cache misses at will, ie by making
> queries, then I can synchronously flood the DNS cache with bogus answers
> to the query. Source-port randomisation doesn't help: a simple netstat
> or equivalent will tell me that, so the only protection is the 16-bit
> query-id, which is no protection at all: 64k UDP packets via the
> loopback interface can easily arrive before one from the wider internet.
>
> That allows a user to poison his own DNS, but if the cache is shared,
> then it allows him to also poison the DNS of any other user on the machine.
>
> The solution is per-user caches.

That is an interesting factoid to add to the discussion over on the
fedora list... does unbound do this?

>
>
> Simon.
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article



More information about the Cerowrt-devel mailing list