IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / A couple of stupid DNS questions
Post #60,879
by ben_tilly
11/3/02 3:16:35 PM
Reply
New A couple of stupid DNS questions
As I understand it if you have a cached answer which is past expiry, then you throw it out and ask for a refresh. Then if the refresh cannot be found, then you say the name cannot be resolved.

It seems to me that if you are past the expiry time you should ask for the real answer, but in the event that you cannot get one you should continue to hand back your stale answer indefinitely. That would mean that an attack like this on the root DNS system would essentially never work. Other machines would wind up asking where, for instance, .au and .com are but would continue to give back accurate answers indefinitely. It would also help in some local failures because my local caching DNS node would leave me able to access things that I normally used even though the server it gets things from cannot be reached. (I used to suffer through a lot of these because I was behind a firewall with only a poorly-administered DNS server available.)

The other question is this. Why is mail the only protocol that DNS has seen fit to make failover be implemented for in the DNS system? Personally I think it would be great to build the capacity into virtually everything. Makes redundancy easier to design in to things. Allows people to use DNS for naive balancing and also gives the caching benefit.

Cheers,
Ben
"Career politicians are inherently untrustworthy; if it spends its life buzzing around the outhouse, it\ufffds probably a fly."
- [link|http://www.nationalinterest.org/issues/58/Mead.html|Walter Mead]
Post #60,891
by rickmoen
Picture of rickmoen
11/3/02 5:48:52 PM
Reply
New Re: A couple of stupid DNS questions
Ben, my understanding about how caching's supposed to work is more-or-less the same as yours. It turns out that, in practice, caching policies seem to be all over the map -- but are heavily on the "excessive and inappropriate" side of that map. This can lead to some frustrating situations, e.g., you know you're going to be migrating a public Web server, so you set TTL values low well in advance, you perform the migration, and then you start getting mail from people who unaccountably aren't reaching the new site, apparently because of inappropriate caching.

Yes, what you're proposing sounds like a better way, better even than the way the RFCs say it's supposed to work -- but real-world usage appears to only spottily implement even the latter.

Why is mail the only protocol that DNS has seen fit to make failover be implemented for in the DNS system?

Interesting idea. The one almost unique characteristic of mail that I can think of, that might account for this, is that mail is asynchronous, and thus benefits from queueing and redelivery in a way that other services generally don't. But it's a good thought. I can't think offhand of other services that could benefit from similar treatment, but there might be some.

Rick Moen
rick@linuxmafia.com

If you lived here, you'd be $HOME already.
     e-knobs execute DoS attack against root DNS servers - (admin) - (7) - Oct. 22, 2002, 05:20:54 PM EDT
         Feh. ;-) - (rickmoen) - (6) - Nov. 3, 2002, 04:03:44 AM EST
             re the ICANN Scam: - (Ashton) - Nov. 3, 2002, 07:33:17 AM EST
             Bwahahahahaaa... - (jake123) - Nov. 3, 2002, 09:37:34 AM EST
             Rick... How is DDNS going to affect this... - (folkert) - (1) - Nov. 3, 2002, 10:03:49 AM EST
                 Re: Rick... How is DDNS going to affect this... - (rickmoen) - Nov. 3, 2002, 01:40:18 PM EST
             A couple of stupid DNS questions - (ben_tilly) - (1) - Nov. 3, 2002, 03:16:35 PM EST
                 Re: A couple of stupid DNS questions - (rickmoen) - Nov. 3, 2002, 05:48:52 PM EST

Whatever they're promising, I promise the same - plus a pony.
32 ms