[Pdns-users] DNS poisoning and spoof-nearmiss-max

bert hubert bert.hubert at netherlabs.nl
Tue Jul 29 21:20:14 UTC 2008

Hi J,

Please find my answers below.

On Tue, Jul 29, 2008 at 05:00:34PM -0400, J Knight wrote:
> What is the Recursor's exact detection method and reaction
> in relation to the spoof-nearmiss-max config parameter?
> Do internal counters for an outstanding query record
> - answers coming back from other authoritative (or ANY) servers
>   than the one asked?

No, we don't see those answers - the operating system makes sure we don't
see them.

> - any mismatch (not just an "approximate" mismatch, as the "nearmiss"
>   suggests) of the query-ID?

A mismatch of query-id. This means the rest of the things that need to be
matched were matched. 

> Shouldn't the default for this parameter be "1" instead of "20"?

Sometimes you get back really old answers, which would invalidate things.
Also, setting it to '1' makes it really easy to deny service. Even 20
attempts will not get you close to guessing the one source port/query id
combination out of 4 billion that works. 

But another number might be better. 20 is certainly not dangerous.

> How well does the Recursor aggregate/avoid duplicate queries for
> the same RR going out, to avoid a birthday attack?

Perfectly, throught query chaining.

> There is a "chain-resends" statistics variable (not documented
> in http://doc.powerdns.com/recursor-stats.html , along with
> several other variables found in rec_channel_rec.cc : what
> are case-mismatches , shunted-queries, noshunt-* , why
> is throttled-outqueries duplicating throttled-out ?) suggesting
> tracking of this.

Chain-resends is documented on that page. Case-mismatches, shunted-queries,
noshunt* are statistics for experimental PowerDNS recursor modules that are
currently disabled. The statistics sit there at zero. 

If you really want to know, shunted queries are part of an experiment where
simple queries that can be answered from the cache are answered directly,
without passing through the whole resolution logic.

These queries did not raise performance appreciably though.

Case-mismatches is an implementation of Paul Vixie's 'dns-0x20' draft. This
might be enabled at some point.

Throttled-outqueries were renamed at some point (from 'throttled-out'), but
the old name is still around for backwards compatability. 

> What does the Recursor actually do if the counter exceeds the
> configured limit?
> - abandon the query and return SERVFAIL to all clients?
> - abandon the query and return nothing to all clients?
> - wait X seconds and retry the outgoing query to the same NS?
>   or to another NS for the zone?

The query is considered to have generated an error, and the next server will
be tried. If there are no others to try, SERVFAIL to all clients.

> I am reading through http://www.ietf.org/internet-drafts/draft-ietf-dnsext-forgery-resilience-05.txt
> for some interesting ideas...

Check who wrote it :-) 


http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the Pdns-users mailing list