[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Rick Jones rick.jones2 at hp.com
Fri Jul 11 23:27:13 UTC 2008

Mark Andrews wrote:
>>For Bind and djbdns (tinydns/axfrdns) no change is needed. DNS over tcp is
>>enabled by default, but the fools programming the firewall dont read
>>the RFCs who say port 53 udp and tcp.
> 	Yes there are changes required.
> 	First you need to stop the servers making UDP request by
> 	default.
> 	Next will need to treat your nameserver like a http server
> 	that is answering 1000's of http requests per second.  The
> 	later is the expensive part as it may involve new hardware.

Making the broad handwaving assumpion that a DNS query is more or less 
like a static DNS query in its overhead, one can look at the _ancient_ 
SPECweb96 results and see that single-core systems were doing several 
1000's of URLs a second, even without having to resort to in-kernel http 

If one doesn't like that handwaving, SPECweb99 has "dynamic" content 
that could be considered "closer" to what a DNS server does.
Those were serving many thousand simultaneous sessions.

In both cases the "on the network" would be rather much larger than DNS 
- O(14K) per URL.

So, it may involved new hardware, but I'm not sure how big that new 
hardware would really be.

rick jones

More information about the dns-operations mailing list