To:
masataka ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc:
dnsop@cafax.se
From:
bert hubert <ahu@ds9a.nl>
Date:
Thu, 6 Nov 2003 08:00:44 +0100
Content-Disposition:
inline
In-Reply-To:
<3FA987B9.8000902@necom830.hpcl.titech.ac.jp>
Mail-Followup-To:
bert hubert <ahu@ds9a.nl>,masataka ohta <mohta@necom830.hpcl.titech.ac.jp>, dnsop@cafax.se
Sender:
owner-dnsop@cafax.se
User-Agent:
Mutt/1.3.28i
Subject:
Re: preventing cache contamination
On Thu, Nov 06, 2003 at 08:28:57AM +0900, masataka ohta wrote: > Does the following work to prevent DNS cache contamination A proper algorithm prevents that. There is a slight chance of spoofing answers to a nameserver if you can guess its source port and query id. However: > 1) have no public access on shared media from cache to external > network (to prevent MITM) You need to trust your local segment indeed. > 2) have separate cache for glue This isn't necessary and a bad idea. > 3) cache an answer to a query but activate it only after a > compatible answer is returned for latter query (to protect > against ID space attack) I don't understand this one, but indeed, there are some things you need to do to prevent birthday attacks on the ID space. Good luck. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.