[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks
ondrej at sury.org
Sun Feb 15 23:30:43 UTC 2009
> I'm not convinced making some tiny form of this information available from
> the local DNS cache is of any more value to an attacker than the myriad of
> other ways they can learn the same information.
I am sure that there are plenty of people who can use information from cache
to prime attacks or use that information just to snoop into one's private life.
> Most importantly I will claim for the moment that these kinds of attacks
> cannot be eliminated by simply preventing cache snooping. They are
> indicative of flaws in other areas and while they may be mitigated slightly
> in the near term by preventing cache snooping, they can only be prevented by
> correcting other flaws.
So what? We open another privacy and security hole we already trying to close?
>> It also complicates the end-user experience. If someone hardcodes my DNS
>> servers into their machine and moves off of my network, lookups of
>> cached RRs will mostly work and other lookups will mysteriously fail,
>> perhaps a week in the future after they've forgotten what they've done.
>> seems much more clear to just have nothing work until they fix their
> I'm not really concerned at all about such issues. Perhaps it is sad for me
> to say so, but they are inevitably someone else's problem, not mine.
Here's the problem. You are trying to enforce your view, since it's your current
problem. But I hope that's never going to happen in Unbound. We are supposed
to fixup the old wounds and not open them again and again.
>> The fact that it is in a cache or not and when it was retrieved is the
>> sensitive data, not the public data that was retrieved.
> That information is not really any more sensitive than anything else done on
> a _public_ network.
It is. Since anybody around the globe could query the cache - he doesn't have
to be MITM or sitting at the end points.
> If anyone can show me any real (i.e. no hand waving or ranting!) attacks
> where cache snooping is a very important contributor that cannot be replaced
> by other mechanisms then I'll certainly pay attention.
Ok, again. Reasoning "there are plenty of holes" so leave this open as well is
not going to make internet safer.
And I think we are really going offtopic - this is more general DNS issue than
Ondřej Surý <ondrej at sury.org>
More information about the Unbound-users