On Thu, Nov 06, 2003 at 08:28:57AM +0900, masataka ohta wrote: > Does the following work to prevent DNS cache contamination
A proper algorithm prevents that. There is a slight chance of spoofing answers to a nameserver if you can guess its source port and query id. However: > 1) have no public access on shared media from cache to external > network (to prevent MITM) You need to trust your local segment indeed. > 2) have separate cache for glue This isn't necessary and a bad idea. > 3) cache an answer to a query but activate it only after a > compatible answer is returned for latter query (to protect > against ID space attack) I don't understand this one, but indeed, there are some things you need to do to prevent birthday attacks on the ID space. Good luck. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO #---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
