Robert Edmonds <edmo...@debian.org> writes:
> Russ Allbery wrote:

>> So far as I understand the additional protection provided by duplicate
>> query merging, the attack that protects against practically requires
>> direct access to the caching resolver, so listening only on localhost
>> (or the equivalent) would make dnscache equivalently secure to any
>> other DNS caching resolver.

> i think this is a rather tenuous assertion.  it's only really true if
> the resolver only performs lookups directly approved by the user sitting
> at the machine, but on modern systems there are plenty of ways to
> remotely induce queries to a caching resolver that only listens on the
> loopback interface: HTTP resource loading in web browsers; DNS
> prefetching in web browsers; MTAs which generate DNS lookups for HELO,
> RCPT, etc.; DNS-based checks in email content filters.

Except that my understanding of the attack is that it requires issuing DNS
lookups for a (*very*) large number of RRs that are not in the local
cache.  This is difficult to force a service to do.  For example, it's
going to be quite hard to do this with HTTP requests in the volume
required, since you have to open a new TCP connection from every address
that you want the web server to look up.

-- 
Russ Allbery (r...@debian.org)               <http://www.eyrie.org/~eagle/>



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to