To:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc:
dnsop@cafax.se
From:
bert hubert <ahu@ds9a.nl>
Date:
Fri, 7 Nov 2003 09:03:38 +0100
Content-Disposition:
inline
In-Reply-To:
<3FAB4CE7.2060902@necom830.hpcl.titech.ac.jp>
Mail-Followup-To:
bert hubert <ahu@ds9a.nl>,Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, dnsop@cafax.se
Sender:
owner-dnsop@cafax.se
User-Agent:
Mutt/1.3.28i
Subject:
Re: preventing cache contamination
On Fri, Nov 07, 2003 at 04:42:31PM +0900, Masataka Ohta wrote: > >Ah - so you just ask a question multiple times with different id and source > >port, making it exponentially harder to spoof an answer. > > No, though it is a protection on end systems. To prevent cache > contamination, it is enough that caching server caches information > only if there are more than one query. Ah - that would still allow the first answer to be spoofed. How do you deal with bonafide changes within the TTL? These also generate different answers than before. > Not necessarily. That is, as for caching servers, some questions > are asked only once that there is no duplicated query generated. > > Anyway, does anyone mind? I think every recursor is free to determine its own strategy, if this rocks your boat, go right ahead :-) > >Say a question originally arrived for www.hpcl.titech.ac.jp, and > >pdns_recursor already had "titech.ac.jp NS your-nameserver", pdns_recursor > >only accepts answers within or above titech.ac.jp. Foo.bar is immediately > >rejected, as it does not end on titech.ac.jp. > > Are you saying nameservers "[a-m].gtld-servers.net." for "com." are > rejected? No, I look at the left hand side, [a-m].gtld-servers.net are accepted from the "." nameserver because they are records for "COM." which is above ".". They are also accepted from [a-m].gtld-servers.net themselves, as they are the "COM." nameservers. Output of --trace: question for 'www.theregister.com|A' from 127.0.0.1 www.theregister.com: Looking for CNAME cache hit of 'www.theregister.com|CNAME' www.theregister.com: No CNAME cache hit of 'www.theregister.com|CNAME' found www.theregister.com: Looking for direct cache hit of 'www.theregister.com|A', 0 www.theregister.com: No cache hit for 'www.theregister.com|A', trying to find an appropriate NS record www.theregister.com: Checking if we have NS in cache for 'www.theregister.com' www.theregister.com: Checking if we have NS in cache for 'theregister.com' www.theregister.com: Checking if we have NS in cache for 'com' www.theregister.com: Checking if we have NS in cache for '' www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'A.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'B.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'C.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'D.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'E.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'F.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'G.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'H.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'I.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'J.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'K.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'L.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: NS (with ip, or non-glue) in cache for '' -> 'M.ROOT-SERVERS.NET' www.theregister.com: endson: 1, in cache, ttl=3599999 www.theregister.com: We have NS in cache for '' www.theregister.com: Cache consultations done, have 13 NS to contact www.theregister.com: Trying to resolve NS M.ROOT-SERVERS.NET (1/13) M.ROOT-SERVERS.NET: Looking for CNAME cache hit of 'm.root-servers.net|CNAME' M.ROOT-SERVERS.NET: No CNAME cache hit of 'm.root-servers.net|CNAME' found M.ROOT-SERVERS.NET: Looking for direct cache hit of 'm.root-servers.net|A', 0 M.ROOT-SERVERS.NET: Found cache hit for A: 202.12.27.33[ttl=3599999] www.theregister.com: Resolved NS M.ROOT-SERVERS.NET to 202.12.27.33, asking 'www.theregister.com|A' www.theregister.com: Got 26 answers from M.ROOT-SERVERS.NET (202.12.27.33), rcode=0 www.theregister.com: accept answer 'com|NS|A.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|G.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|H.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|C.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|I.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|B.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|D.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|L.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|F.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|J.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|K.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|E.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'com|NS|M.GTLD-SERVERS.NET' from '' nameservers? YES! www.theregister.com: accept answer 'A.GTLD-SERVERS.NET|A|192.5.6.30' from '' nameservers? YES! www.theregister.com: accept answer 'G.GTLD-SERVERS.NET|A|192.42.93.30' from '' nameservers? YES! www.theregister.com: accept answer 'H.GTLD-SERVERS.NET|A|192.54.112.30' from '' nameservers? YES! www.theregister.com: accept answer 'C.GTLD-SERVERS.NET|A|192.26.92.30' from '' nameservers? YES! www.theregister.com: accept answer 'I.GTLD-SERVERS.NET|A|192.43.172.30' from '' nameservers? YES! www.theregister.com: accept answer 'B.GTLD-SERVERS.NET|A|192.33.14.30' from '' nameservers? YES! www.theregister.com: accept answer 'D.GTLD-SERVERS.NET|A|192.31.80.30' from '' nameservers? YES! www.theregister.com: accept answer 'L.GTLD-SERVERS.NET|A|192.41.162.30' from '' nameservers? YES! www.theregister.com: accept answer 'F.GTLD-SERVERS.NET|A|192.35.51.30' from '' nameservers? YES! www.theregister.com: accept answer 'J.GTLD-SERVERS.NET|A|192.48.79.30' from '' nameservers? YES! www.theregister.com: accept answer 'K.GTLD-SERVERS.NET|A|192.52.178.30' from '' nameservers? YES! www.theregister.com: accept answer 'E.GTLD-SERVERS.NET|A|192.12.94.30' from '' nameservers? YES! www.theregister.com: accept answer 'M.GTLD-SERVERS.NET|A|192.55.83.30' from '' nameservers? YES! www.theregister.com: determining status after receiving this packet www.theregister.com: got NS record 'com' -> 'A.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'G.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'H.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'C.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'I.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'B.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'D.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'L.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'F.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'J.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'K.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'E.GTLD-SERVERS.NET' www.theregister.com: got NS record 'com' -> 'M.GTLD-SERVERS.NET' www.theregister.com: status=did not resolve, got 13 NS, looping to them www.theregister.com: Trying to resolve NS f.gtld-servers.net (1/13) f.gtld-servers.net: Looking for CNAME cache hit of 'f.gtld-servers.net|CNAME' f.gtld-servers.net: No CNAME cache hit of 'f.gtld-servers.net|CNAME' found f.gtld-servers.net: Looking for direct cache hit of 'f.gtld-servers.net|A', 0 f.gtld-servers.net: Found cache hit for A: 192.35.51.30[ttl=172800] www.theregister.com: Resolved NS f.gtld-servers.net to 192.35.51.30, asking 'www.theregister.com|A' www.theregister.com: Got 8 answers from f.gtld-servers.net (192.35.51.30), rcode=0 www.theregister.com: accept answer 'theregister.com|NS|ns1.theregister.com' from 'com' nameservers? YES! www.theregister.com: accept answer 'theregister.com|NS|ns2.theregister.com' from 'com' nameservers? YES! www.theregister.com: accept answer 'theregister.com|NS|ns3.theregister.com' from 'com' nameservers? YES! www.theregister.com: accept answer 'theregister.com|NS|ns4.theregister.com' from 'com' nameservers? YES! www.theregister.com: accept answer 'ns1.theregister.com|A|212.100.234.58' from 'com' nameservers? YES! www.theregister.com: accept answer 'ns2.theregister.com|A|212.100.234.57' from 'com' nameservers? YES! www.theregister.com: accept answer 'ns3.theregister.com|A|212.100.234.56' from 'com' nameservers? YES! www.theregister.com: accept answer 'ns4.theregister.com|A|212.100.234.55' from 'com' nameservers? YES! www.theregister.com: determining status after receiving this packet www.theregister.com: got NS record 'theregister.com' -> 'ns1.theregister.com' www.theregister.com: got NS record 'theregister.com' -> 'ns2.theregister.com' www.theregister.com: got NS record 'theregister.com' -> 'ns3.theregister.com' www.theregister.com: got NS record 'theregister.com' -> 'ns4.theregister.com' www.theregister.com: status=did not resolve, got 4 NS, looping to them www.theregister.com: Trying to resolve NS ns3.theregister.com (1/4) ns3.theregister.com: Looking for CNAME cache hit of 'ns3.theregister.com|CNAME' ns3.theregister.com: No CNAME cache hit of 'ns3.theregister.com|CNAME' found ns3.theregister.com: Looking for direct cache hit of 'ns3.theregister.com|A', 0 ns3.theregister.com: Found cache hit for A: 212.100.234.56[ttl=172800] www.theregister.com: Resolved NS ns3.theregister.com to 212.100.234.56, asking 'www.theregister.com|A' www.theregister.com: Got 9 answers from ns3.theregister.com (212.100.234.56), rcode=0 www.theregister.com: accept answer 'www.theregister.com|A|212.100.234.54' from 'theregister.com' nameservers? YES! www.theregister.com: accept answer 'theregister.com|NS|ns1.theregister.com' from 'theregister.com' nameservers? YES! www.theregister.com: accept answer 'theregister.com|NS|ns2.theregister.com' from 'theregister.com' nameservers? YES! www.theregister.com: accept answer 'theregister.com|NS|ns3.theregister.com' from 'theregister.com' nameservers? YES! www.theregister.com: accept answer 'theregister.com|NS|ns4.theregister.com' from 'theregister.com' nameservers? YES! www.theregister.com: accept answer 'ns1.theregister.com|A|212.100.234.58' from 'theregister.com' nameservers? YES! www.theregister.com: accept answer 'ns2.theregister.com|A|212.100.234.57' from 'theregister.com' nameservers? YES! www.theregister.com: accept answer 'ns3.theregister.com|A|212.100.234.56' from 'theregister.com' nameservers? YES! www.theregister.com: accept answer 'ns4.theregister.com|A|212.100.234.55' from 'theregister.com' nameservers? YES! www.theregister.com: determining status after receiving this packet www.theregister.com: answer is in: resolved to '212.100.234.54|A' www.theregister.com: got upwards/level NS record 'theregister.com' -> 'ns1.theregister.com', had 'theregister.com' www.theregister.com: got upwards/level NS record 'theregister.com' -> 'ns2.theregister.com', had 'theregister.com' www.theregister.com: got upwards/level NS record 'theregister.com' -> 'ns3.theregister.com', had 'theregister.com' www.theregister.com: got upwards/level NS record 'theregister.com' -> 'ns4.theregister.com', had 'theregister.com' www.theregister.com: status=got results, this level of recursion done www.theregister.com: Starting additional processing www.theregister.com: Done with additional processing answer to question 'www.theregister.com|A': 1 answers, 0 additional, took 3 packets, 0 throttled, rcode=0 Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.