On 14/04/14 00:24, Dave Taht wrote: > > > So far as I know the caching functionality in dnsmasq in that instance > is disabled due to fears about cache poisoning, that I don't fully > understand. My half understood fear translates into equivalent fears > for other local dns daemons. >
My understanding is that this relates to multi-user systems where the users share the cache and run on the local machine. Essentially, if I can generate cache misses at will, ie by making queries, then I can synchronously flood the DNS cache with bogus answers to the query. Source-port randomisation doesn't help: a simple netstat or equivalent will tell me that, so the only protection is the 16-bit query-id, which is no protection at all: 64k UDP packets via the loopback interface can easily arrive before one from the wider internet. That allows a user to poison his own DNS, but if the cache is shared, then it allows him to also poison the DNS of any other user on the machine. The solution is per-user caches. Simon. _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
