On Thu, Aug 29, 2013 at 11:07 AM, Dario Lombardo < [email protected]> wrote:
> On Thu, Aug 29, 2013 at 4:35 PM, Evan Huus <[email protected]> wrote: > >> Basically, but it's also more. If your capture contains a DNS packet >> resolving a name in a certain way, and the system name resolver gives a >> different answer, we prefer the DNS packet in the capture (since presumably >> the capture was on some local network where that name resolves >> differently). For this reason we can't just drop old cache entries unless >> name resolution is disabled completely. >> >>> > That's really interesting. This means that if a DNS packet with a fake > resolution is got, it can pollute the "cache". > Yes. The assumption is that if the in-capture DNS and the system resolver disagree, the capture was done on some local network with its own private DNS where certain names resolve specially. For example, if I do a capture on my local network and I ping myserver1 (which resolves to a 192.168 address) then Wireshark will correctly resolve that ping as long as it caught the DNS exchange as well. > I've triggered this behaviour in the attached pcap file. It appears that > I'm pinging google (in my svn wireshark), while actually I'm pinging a > private addres :). > It can certainly be abused, but the real IP is always available and it's never been a problem thus far in practice :) ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected] > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
