[Cerowrt-devel] Full blown DNSSEC by default?
dave.taht at gmail.com
Thu Apr 17 17:19:51 EDT 2014
On Thu, Apr 17, 2014 at 2:01 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 14/04/14 00:24, Dave Taht wrote:
>> So far as I know the caching functionality in dnsmasq in that instance
>> is disabled due to fears about cache poisoning, that I don't fully
>> understand. My half understood fear translates into equivalent fears
>> for other local dns daemons.
> My understanding is that this relates to multi-user systems where the
> users share the cache and run on the local machine.
> Essentially, if I can generate cache misses at will, ie by making
> queries, then I can synchronously flood the DNS cache with bogus answers
> to the query. Source-port randomisation doesn't help: a simple netstat
> or equivalent will tell me that, so the only protection is the 16-bit
> query-id, which is no protection at all: 64k UDP packets via the
> loopback interface can easily arrive before one from the wider internet.
> That allows a user to poison his own DNS, but if the cache is shared,
> then it allows him to also poison the DNS of any other user on the machine.
> The solution is per-user caches.
That is an interesting factoid to add to the discussion over on the
fedora list... does unbound do this?
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
More information about the Cerowrt-devel