Has anyone seen any incidents of DNS Cache Pollution with running a DNS
server on Solaris?
Thanks,
JSO
by JSO » Thu, 01 Nov 2001 13:18:24
Thanks,
JSO
by JSO » Thu, 01 Nov 2001 13:19:50
Thanks,
JSO
by Barry Margoli » Fri, 02 Nov 2001 04:34:59
BIND 8.x and higher do a good job of protecting themselves from the most
common forms of cache poisoning, such as what has been happening for the
past few days with zfreehost.com. If you're running BIND 4.x, upgrade.
--
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
by Mik » Sat, 03 Nov 2001 00:40:28
> A nameserver's susceptibility to cache poisoning has virtually nothing to
> do with the OS it's running on. BIND's cache management code is
> OS-independent. It's mostly dependent on the version of BIND you're
> running.
> BIND 8.x and higher do a good job of protecting themselves from the most
> common forms of cache poisoning, such as what has been happening for the
> past few days with zfreehost.com. If you're running BIND 4.x, upgrade.
1. caching dns appears to not cache.
I'm running an old version of bind, 8. something. I've set it up to do
caching as stated in the DNS howto . the named.conf is as follows:
// Config file for a caching only name server.
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
listen-on { 10.0.0.1; 127.0.0.1; };
allow-query {
10.0.0.0/8;
127.0.0.1;
// query-source address * port 53;
forward first;
forwarders {
ISP.DNS.ONE.ONE;
ISP.DNS.ONE.TWO;
};
//
// a caching only nameserver config
//
zone "." {
type hint;
file "root.hints";
zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
However, I see dns requests going to our isp and comming back at all times.
computer 1 pings google.com . named does the resolve dance (which I am
watching with tcpdump) and sends the reply to computer 1.
computer 2 pings google.com. named does the resolve dance and sends the
reply to computer 2.
Shouldn't named just reply to computer 2 with the cached ip's ??
joseph
2. file selection dialog w/cde
3. Pragma "no-cache" and Cache-Control "no-cache"
5. : Log and console pollution: ip_tables: (C) 2000-2002 Netfilter core team
7. Ad Extinguisher -- Pollution Control for the Internet
8. (novice) How to delete users? Quotas?
9. namespace pollution in procfs
10. Microsoft Internet pollution
12. Using bind on linux as dns cache for windows