By: admin

admin — Thu, 28 Aug 2008 19:43:47 +0000

DNS is one of the older protocols around, and it is somewhat fatally flawed (the first response wins is just not a good idea). I agree that it will probably need an overhaul eventually.

As for turning off recursive queries, most DNS requests and responses should generate IP packets that aren’t much more than 100 bytes. Even if you throw on a little more space for the lower level headers (Ethernet, 802.11, or whatever you’re using), and it’s still not very much traffic. Yes there will be a slight delay as the functionality is being moved from the (theoretically faster) DNS server to the end-user, but it will most likely be measured in nanoseconds, if that.

By: Matt W.

Matt W. — Thu, 28 Aug 2008 03:16:14 +0000

While turning off recursive queries within an organization (really, their name servers) may resolve a piece of the issue – this flaw exists in the foundations of DNS (your query ID for a lookup is effectively your password and it’s a race to respond with the proper query ID… between the proper authoritative name server and the attacker “name” server). Plus, how will you disable recursive queries for ISP name servers (Comcast, Verizon, etc.) – I would suppose this would require the client to perform each lookup (as in, everyones PC) – since the ISP name server wouldn’t be doing the heavy lifting. With home user’s performing all the lookups directly, network utilization would increase by a non-trivial amount due to the additional DNS traffic overhead (at least, I would think so… otherwise, why have recursion and caching in the first place). I think the patches solve this issue in the near term, in the long run DNS probably needs an overhaul (much like IPv4 did), but judging by the adoption rate of IPv6, I wouldn’t hold my breath. Now get ready for this BGP issue to take off like wild fire…

Comments on: DNS cache poisoning

By: admin

By: Matt W.