Robert Edmonds <edmo...@debian.org> writes: > Russ Allbery wrote: >> So far as I understand the additional protection provided by duplicate >> query merging, the attack that protects against practically requires >> direct access to the caching resolver, so listening only on localhost >> (or the equivalent) would make dnscache equivalently secure to any >> other DNS caching resolver.
> i think this is a rather tenuous assertion. it's only really true if > the resolver only performs lookups directly approved by the user sitting > at the machine, but on modern systems there are plenty of ways to > remotely induce queries to a caching resolver that only listens on the > loopback interface: HTTP resource loading in web browsers; DNS > prefetching in web browsers; MTAs which generate DNS lookups for HELO, > RCPT, etc.; DNS-based checks in email content filters. Except that my understanding of the attack is that it requires issuing DNS lookups for a (*very*) large number of RRs that are not in the local cache. This is difficult to force a service to do. For example, it's going to be quite hard to do this with HTTP requests in the volume required, since you have to open a new TCP connection from every address that you want the web server to look up. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
