[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tinydns - cache poisoning?

Stephen Vaughan escribió:
I was querying my tinydns remotely which was using bind locally. When I ran the dig command on the box itself (which uses the local dnscache) it didn't return anything.
Who is resolving the external domains ? Your TinyDNS have forwarders ? If your answer is yes, you are testing your forwarders. I had many forwarders, now I have OpenDNS servers only. 



So looks like its all clear..
On Wed, Jul 30, 2008 at 3:06 PM, Florian Weimer <fw@deneb.enyo.de <mailto:fw@deneb.enyo.de>> wrote: 

    * Stephen Vaughan:

    > Does anyone know if TinyDNS is vulnerable to the dns cache poisoning
    > exploit? I run tinydns servers, I ran the test below and it came
    back as
    > POOR.

    tinydns as in djbdns?  dnscache (the iterative resolver component of
    djbdns) uses source port randomization, so no code changes are
    required.

    > mh1:~# dig +short @ns1.example.com <http://ns1.example.com>
    porttest.dns-oarc.net <http://porttest.dns-oarc.net> TXT
    >
    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net
    <http://z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net>.
    > "1.2.3.4 <http://1.2.3.4> is POOR: 26 queries in 4.4 seconds
    from 1 ports with std dev 0.00"

    This should not happen with dnscache.  Perhaps you're behind a
    not-so-transparent DNS proxy, and you're actually testing your ISP's
    resolver?




--
Best Regards,
Stephen
Reply to: