[Pdns-users] DNS poisoning and spoof-nearmiss-max
jknight+pdns at spamshield.org
Tue Jul 29 21:00:34 UTC 2008
What is the Recursor's exact detection method and reaction
in relation to the spoof-nearmiss-max config parameter?
Do internal counters for an outstanding query record
- answers coming back from other authoritative (or ANY) servers
than the one asked?
- any mismatch (not just an "approximate" mismatch, as the "nearmiss"
suggests) of the query-ID?
Shouldn't the default for this parameter be "1" instead of "20"?
How well does the Recursor aggregate/avoid duplicate queries for
the same RR going out, to avoid a birthday attack?
There is a "chain-resends" statistics variable (not documented
in http://doc.powerdns.com/recursor-stats.html , along with
several other variables found in rec_channel_rec.cc : what
are case-mismatches , shunted-queries, noshunt-* , why
is throttled-outqueries duplicating throttled-out ?) suggesting
tracking of this.
What does the Recursor actually do if the counter exceeds the
- abandon the query and return SERVFAIL to all clients?
- abandon the query and return nothing to all clients?
- wait X seconds and retry the outgoing query to the same NS?
or to another NS for the zone?
I am reading through http://www.ietf.org/internet-drafts/draft-ietf-dnsext-forgery-resilience-05.txt
for some interesting ideas...
More information about the Pdns-users