Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations
Rachael Treu Gomes
rara at navigo.com
Mon Apr 18 19:14:44 UTC 2005
On Mon, Apr 18, 2005 at 03:05:55PM -0400, Jason Frisvold said something to the effect of:
>
> On 4/18/05, Daniel Golding <dgolding at burtongroup.com> wrote:
> >
> >
> > Aside from individual OS behavior, doesn't this seem like very bad advice?
>
> I think this is more of a question of who to trust. Caching, in
> general, isn't a bad thing provided that TTL's are adhered to. If the
> poisoning attack were to inject a huge TTL value, then that would
> compromise that cache. (Note, I am no expert on dns poisoning, so I'm
> not sure if the TTL is "attackable")
>
> However, on the flip side, if nothing is ever cached, then I would
> expect a huge amount of bandwidth to be eaten up by DNS queries.
You are right. Time spent in security for an ISP yielded many
DoS-against-the-DNS-server complaints that turned out to be
some query-happy non-cachers pounding away at the server. The
solution: block the querying IP from touching the DNS server.
Somehow, I think that might have hampered their name resolution
efforts...? ;)
cache me if you can,
--ra
>
> I think a seasoned op knows when to use caching and when to not use
> caching, but the everyday Joe User has no idea what caching is. If
> they see a technical article telling them to turn off caching because
> it will help stop phishing attacks (which they know are bad because
> everyone says so), then they may try to follow that advice. Aside
> from the "I broke my computer" syndrome, I expect they'll be very
> disappointed when their internet access becomes visibly slower because
> everything requires a new lookup...
>
> Is it possible to "prevent" poisoning attacks? Is it beneficial, or
> even possible, to prevent TTL's from being an excessively high value?
>
> --
> Jason 'XenoPhage' Frisvold
> XenoPhage0 at gmail.com
--
rachael treu gomes rara at navigo.com
..quis custodiet ipsos custodes?..
(this email has been brought to you by the letters 'v' and 'i'.)
More information about the NANOG
mailing list