[prev in list] [next in list] [prev in thread] [next in thread]
List: djbdns
Subject: Re: can't resolve some addresses
From: Jeff King <peff () peff ! net>
Date: 2009-04-07 19:53:50
Message-ID: 20090407195350.GA12411 () coredump ! intra ! peff ! net
[Download RAW message or body]
On Tue, Apr 07, 2009 at 03:10:45PM -0400, Dean Anderson wrote:
> Except that, in this case, there is nothing wrong with putting RD in a
> query to an authoritive server that is authoritative for the zone you
> are querying. The mozilla server doesn't need to recurse; its got the
> authority data.
>
> The bug is in the mozilla server for refusing the query, even though it
> was authoritative for the answer. Turning off recursion should only be
> cause queries to be refused if recursion was necessary; in this case,
> recursion wasn't necessary.
Whether refusing such queries is wrong or not, running dnscache with
FORWARDONLY but not forwarding to another resolver is a bad idea for two
reasons:
1. There are obviously names which, right or wrong, will have
problems resolving, as evidenced by the original poster in this
thread.
2. dnscache uses the RD bit for loop detection. A malicious content
server can thus induce an infinite lookup loop in dnscache by
referring the resolver to itself. This is easy to demonstrate via:
dnscache-conf $U $U /tmp/dnscache 127.0.0.1
tinydns-conf $U $U /tmp/tinydns 127.0.0.2
(cd /tmp/tinydns
(echo .bogus:127.0.0.2; echo \&loop.bogus:127.0.0.1:a) >root/data
(cd root && make)
./run) &
(cd /tmp/dnscache
echo 1 >env/FORWARDONLY
echo 127.0.0.2 >root/servers/bogus
./run) &
DNSCACHEIP=127.0.0.1 dnsqr a loop.bogus
-Peff
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic