[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks
Greg A. Woods; Planix, Inc.
woods at planix.ca
Sun Feb 15 20:13:56 UTC 2009
On 15-Feb-2009, at 12:29 PM, Paul Wouters wrote:
>>> I.e. anyone can see anything in my cache except my private data
>
> You want them to not "use" the cache, but allow them to "debug" the
> cache.
Yes, exactly. Well, at least the current cache contents. I've long
ago given up on the desire to allow full testing of a DNS caching
resolver so that the tester can see how it recursively resolves
answers to new queries. My experience now shows that is the current
cache contents that are the most important to debugging and testing
from remote sites.
> To me, "debug" is a higher priviledge then "using".
While that is certainly true for some meanings of "debug", in this
case the person doing the debugging may very well "own" the data that
is in the remote DNS cache, or they may be answering support queries
for people who are at remote sites, etc., etc., etc.
In fact I end up having to debug other people's cache data on an
almost daily basis. In recent year I almost always have to gain
access to a system on a network their caching nameserver(s) trust in
order to do such debugging, and that's not always easy, but it is
almost always possible in one way or another. Cache almost never
manage to protect their copy of my data from my view anyway -- they
just make it very annoying to get at.
Even more hypocritical are those large access providers who might
think they are gaining some security advantage by preventing the half
of the world they don't provide access to from querying the caching
nameservers used by the half of the world they do provide access to.
99.999% of the time the most worrying attacks will come from the
networks they "trust" even if they don't provide access to half the
world. Sure it might help that they have contractual relationships
with the customers who own machines that might attack them, but in
practice they almost never exercise the management level controls they
could use in order to kick offending customers off their networks
(Cogeco being one recent example I know of to the contrary).
While I definitely do worry about attacks that can abuse caching
nameservers, I have a very strong desire to keep the public data in
them publicly available.
--
Greg A. Woods; Planix, Inc.
<woods at planix.ca>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20090215/d0d8c021/attachment.bin>
More information about the Unbound-users
mailing list