Package: djbdns Severity: normal
Hi there, please do forgive me if I've got the wrong end of the stick here or the code I've posted is completely wrong or makes no sense. It would be nice to get djbdns back into testing. As I understand it, this bug works by getting dnscache to send extensive numbers of identical DNS requests so that forged responses now have a chance of being accepted by the majority of in-progress requests. dnscache does so because it is a) bombarded by these requests b) dnscache's request dropping policy is used to avoid dnscache ever caching the real response, so the attack can continue indefinitely. It seems that the target here is to make dnscache not particularly worse than BIND or other DNS resolvers under this attack. The request de-duplication patch seems rather complex and difficult to code-review. How about this? Under normal requests load, dnscache's behaviour is unchanged. When dnscache starts dropping requests, dnscache looks for other identical requests, and if they exist, drops the current request. Hopefully, by the time it is retried, it can answer it out of the cache as the original request continued unaffected. I've put a patch that I think does something like this here: http://www.unchartedbackwaters.co.uk/files/djbdns-1.diff (warning: untested, mainly to demonstrate idea) On the upside, this doesn't have a performance hit when dnscache isn't hitting its query limit. On the downside, when dnscache does hit its query limit, it'll cause particular incoming queries to be dropped when they match existing ones in progress, even if they can be answered out of the cache. Although I believe in-cache queries should be answered more or less instantly so perhaps this is a non-issue. Also dnscache will drop queries under load anyway, but this behaviour might be less desirable. To be honest, I have no idea how often DNS caches under normal load should experience this problem (hopefully never), nor when overloaded, how well a DNS cache should perform. Regardless, the patch is much simpler. At the very least, I hope this gets this bug to be discussed again. Regards, Francis -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32.3 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
