Maintained by: NLnet Labs

[Unbound-users] resolver & performance issues

Wouter Wijngaards
Thu Oct 9 16:47:57 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David,

David Miller wrote:
> I didn't realize that this had changed between 1.0.2 to the current SVN
> version.
> 
> How would one "change the acl to allow the cache snooping"?

access-control: 127.0.0.0/8 allow_snoop
  or even
access-control: 0.0.0.0/0 allow_snoop

in the config file.

> Does dig +trace really require "cache snooping"?  Sounds ominously bad :-)

Well, if you are willing to type  @c.root-servers.net   on the
commandline (or make an alias), then it doesn't require snooping, I noticed.
(the nonrecursive query is sent to the root server, instead of to the
local resolver).

dig +trace uses nonrecursive queries, which are useful for debugging.
And dig is a debugging tool.   But they are also used for 'cache
snooping', which is where you probe the resolver to find out which
domains are in the cache (i.e. what websites have been visited).

> What is the downside of allowing this?

The text above.  Also it can be used to see which domains are not in the
cache, which is useful to know for cache poisoning.

You can only allow your own workstation, for example.
Or make an alias digtrace="dig +trace @h.root-servers.net"

> BTW: I find the +trace option amazingly useful in troubleshooting
> reverse DNS delegations (see below).

Yeah that is nice.

> FYI: DJB has never supported queries with +trace.  I am sure that he has
> his reasons, but I don't believe that they have ever been publicly stated.

Well I heard DJB disallows cache snooping as well, I think for the same
reasons.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEUEARECAAYFAkjuGZ0ACgkQkDLqNwOhpPg9QACYmR6zK7kfqnSSZb1H0g/vJkhB
xQCdGv5gC5xlLSo5yIyII8VvF88gkKY=
=1Ey/
-----END PGP SIGNATURE-----