On 15-Feb-2009, at 1:28 PM, Ondřej Surý wrote:
Cache snooping lets anyone see who you've been talking to, when you looked it up, and when the cache will expire.cache snooping can also facilitate amplification attacks, see RFC 5358.No, not without recursion enabled it can't.Yes, it can. Just spoof query to something which is already in cache (like root servers).
RFC 5358 describes an attack which effectively requires the nameserver to perform a recursive lookup for the queries that are part of the attack. To quote the RFC:
"DNS authoritative servers that do not provide recursion to clients
can also be used as amplifiers; however, the amplification potential
is greatly reduced when authoritative servers are used."
"This document's recommendations are
concerned with recursive nameservers only."
I.e. if recursion is _not_ performed for any "foreign" queries then
nobody outside of the networks "trusted" by the caching nameserver can
succeed at this attack any more than they could succeed at using _any_
and _every_ authoritative nameserver "normally".
I guess what I'm suggesting is something like this, which of course is not quite possible yet with unbound:
# "trusted" networks can do recursive and non-recursive queries
access-control: 127/8 allow_snoop
access-control: 10/8 allow_snoop
access-control: 172.16/16 allow_snoop
access-control: 192.168/16 allow_snoop
access-control: N.N.N.N/24 allow_snoop # site's public IP space
# everyone else can only do non-recursive queries of "public" data
access-control: 0/0 snoop_public
--
Greg A. Woods; Planix, Inc.
<[email protected]>
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
