[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning
Rick Jones
rick.jones2 at hp.com
Fri Jul 11 23:27:13 UTC 2008
Mark Andrews wrote:
>>For Bind and djbdns (tinydns/axfrdns) no change is needed. DNS over tcp is
>>enabled by default, but the fools programming the firewall dont read
>>the RFCs who say port 53 udp and tcp.
>
>
> Yes there are changes required.
>
> First you need to stop the servers making UDP request by
> default.
>
> Next will need to treat your nameserver like a http server
> that is answering 1000's of http requests per second. The
> later is the expensive part as it may involve new hardware.
Making the broad handwaving assumpion that a DNS query is more or less
like a static DNS query in its overhead, one can look at the _ancient_
SPECweb96 results and see that single-core systems were doing several
1000's of URLs a second, even without having to resort to in-kernel http
acceleration.
If one doesn't like that handwaving, SPECweb99 has "dynamic" content
that could be considered "closer" to what a DNS server does.
Those were serving many thousand simultaneous sessions.
In both cases the "on the network" would be rather much larger than DNS
- O(14K) per URL.
So, it may involved new hardware, but I'm not sure how big that new
hardware would really be.
rick jones
More information about the dns-operations
mailing list