Russ Allbery wrote: > So far as I understand the additional protection provided by duplicate > query merging, the attack that protects against practically requires > direct access to the caching resolver, so listening only on localhost (or > the equivalent) would make dnscache equivalently secure to any other DNS > caching resolver.
i think this is a rather tenuous assertion. it's only really true if
the resolver only performs lookups directly approved by the user sitting
at the machine, but on modern systems there are plenty of ways to
remotely induce queries to a caching resolver that only listens on the
loopback interface: HTTP resource loading in web browsers; DNS
prefetching in web browsers; MTAs which generate DNS lookups for HELO,
RCPT, etc.; DNS-based checks in email content filters.
the problem of identical outbound queries was identified well before
CVE-2008-4392; e.g., see VU#457875 from 2002:
http://www.kb.cert.org/vuls/id/457875
--
Robert Edmonds
edmo...@debian.org
signature.asc
Description: Digital signature
