On Thu, Apr 17, 2014 at 2:01 PM, Simon Kelley <[email protected]> wrote: > On 14/04/14 00:24, Dave Taht wrote: >> >> >> So far as I know the caching functionality in dnsmasq in that instance >> is disabled due to fears about cache poisoning, that I don't fully >> understand. My half understood fear translates into equivalent fears >> for other local dns daemons. >> > > My understanding is that this relates to multi-user systems where the > users share the cache and run on the local machine. > > Essentially, if I can generate cache misses at will, ie by making > queries, then I can synchronously flood the DNS cache with bogus answers > to the query. Source-port randomisation doesn't help: a simple netstat > or equivalent will tell me that, so the only protection is the 16-bit > query-id, which is no protection at all: 64k UDP packets via the > loopback interface can easily arrive before one from the wider internet. > > That allows a user to poison his own DNS, but if the cache is shared, > then it allows him to also poison the DNS of any other user on the machine. > > The solution is per-user caches.
That is an interesting factoid to add to the discussion over on the fedora list... does unbound do this? > > > Simon. > > > _______________________________________________ > Cerowrt-devel mailing list > [email protected] > https://lists.bufferbloat.net/listinfo/cerowrt-devel -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
