Maintained by: NLnet Labs

[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks

Greg A. Woods; Planix, Inc.
Sun Feb 15 21:13:56 CET 2009


On 15-Feb-2009, at 12:29 PM, Paul Wouters wrote:
>>> I.e. anyone can see anything in my cache except my private data
>
> You want them to not "use" the cache, but allow them to "debug" the  
> cache.

Yes, exactly.  Well, at least the current cache contents.  I've long  
ago given up on the desire to allow full testing of a DNS caching  
resolver so that the tester can see how it recursively resolves  
answers to new queries.  My experience now shows that is the current  
cache contents that are the most important to debugging and testing  
from remote sites.


> To me, "debug" is a higher priviledge then "using".

While that is certainly true for some meanings of "debug", in this  
case the person doing the debugging may very well "own" the data that  
is in the remote DNS cache, or they may be answering support queries  
for people who are at remote sites, etc., etc., etc.

In fact I end up having to debug other people's cache data on an  
almost daily basis.  In recent year I almost always have to gain  
access to a system on a network their caching nameserver(s) trust in  
order to do such debugging, and that's not always easy, but it is  
almost always possible in one way or another.  Cache almost never  
manage to protect their copy of my data from my view anyway -- they  
just make it very annoying to get at.

Even more hypocritical are those large access providers who might  
think they are gaining some security advantage by preventing the half  
of the world they don't provide access to from querying the caching  
nameservers used by the half of the world they do provide access to.   
99.999% of the time the most worrying attacks will come from the  
networks they "trust" even if they don't provide access to half the  
world.  Sure it might help that they have contractual relationships  
with the customers who own machines that might attack them, but in  
practice they almost never exercise the management level controls they  
could use in order to kick offending customers off their networks  
(Cogeco being one recent example I know of to the contrary).

While I definitely do worry about attacks that can abuse caching  
nameservers, I have a very strong desire to keep the public data in  
them publicly available.

-- 
					Greg A. Woods; Planix, Inc.
					<woods at planix.ca>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20090215/d0d8c021/attachment.pgp>