Re: preventing cache contamination

[bert hubert <ahu@ds9a.nl>]

On Fri, Nov 07, 2003 at 02:23:37PM +0900, Masataka Ohta wrote:

> It is a just enough protection against well known attack to
> contaminate cache by glue A, which I confirmed to work about
> 10 years ago.

pdns_recursor simply rejects answers that are not in the zone of the NS that
caused it to recurse to that nameserver. So:

> That is, with
> 
> 	hpcl.titech.ac.jp.	NS	foo.bar
> 	foo.bar.		A	131.112.32.132

Say a question originally arrived for www.hpcl.titech.ac.jp, and
pdns_recursor already had "titech.ac.jp NS your-nameserver", pdns_recursor
only accepts answers within or above titech.ac.jp. Foo.bar is immediately
rejected, as it does not end on titech.ac.jp.

Every once in a while this causes pdns to ask more questions than strictly
necessary but it's still faster than most recursing nameservers.

Run pdns_recursor in --trace mode to see it explain all its decisions. In
this case, the glue is not necessary and hence not accepted.

I think DJB does something smarter and accepts the glue *only* for this
question.

> I'm saying answer should be stored in cache for latter use, only
> if the same answer is obtained multiple times with independent
> IDs.

Ah - so you just ask a question multiple times with different id and source
port, making it exponentially harder to spoof an answer. Sure, that would
work but it doubles the load on authoritative nameservers.

Bert.

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.