Re: Tinydns - cache poisoning?

To: "Stephen Vaughan" <stephenvaughan@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: Tinydns - cache poisoning?
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 30 Jul 2008 07:06:26 +0200
Message-id: <878wvkt0z1.fsf@mid.deneb.enyo.de>
In-reply-to: <389c58c40807292147h27ab8f4ge3c349e9dd310c08@mail.gmail.com> (Stephen Vaughan's message of "Wed, 30 Jul 2008 14:47:57 +1000")
References: <389c58c40807292147h27ab8f4ge3c349e9dd310c08@mail.gmail.com>

* Stephen Vaughan:

> Does anyone know if TinyDNS is vulnerable to the dns cache poisoning
> exploit? I run tinydns servers, I ran the test below and it came back as
> POOR.

tinydns as in djbdns?  dnscache (the iterative resolver component of
djbdns) uses source port randomization, so no code changes are required.

> mh1:~# dig +short @ns1.example.com porttest.dns-oarc.net TXT
> z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "1.2.3.4 is POOR: 26 queries in 4.4 seconds from 1 ports with std dev 0.00"

This should not happen with dnscache.  Perhaps you're behind a
not-so-transparent DNS proxy, and you're actually testing your ISP's
resolver?

Reply to:

Follow-Ups:
- Re: Tinydns - cache poisoning?
  - From: "Stephen Vaughan" <stephenvaughan@gmail.com>

References:
- Tinydns - cache poisoning?
  - From: "Stephen Vaughan" <stephenvaughan@gmail.com>

Prev by Date: Tinydns - cache poisoning?
Next by Date: Re: Tinydns - cache poisoning?
Previous by thread: Tinydns - cache poisoning?
Next by thread: Re: Tinydns - cache poisoning?
Index(es):
- Date
- Thread