Maintained by: NLnet Labs

[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks

Ondřej Surý
Mon Feb 16 00:30:43 CET 2009

> I'm not convinced making some tiny form of this information available from
> the local DNS cache is of any more value to an attacker than the myriad of
> other ways they can learn the same information.

I am sure that there are plenty of people who can use information from cache
to prime attacks or use that information just to snoop into one's private life.

> Most importantly I will claim for the moment that these kinds of attacks
> cannot be eliminated by simply preventing cache snooping.  They are
> indicative of flaws in other areas and while they may be mitigated slightly
> in the near term by preventing cache snooping, they can only be prevented by
> correcting other flaws.

So what? We open another privacy and security hole we already trying to close?

>> It also complicates the end-user experience.  If someone hardcodes my DNS
>> servers into their machine and moves off of my network, lookups of
>> popular,
>> cached RRs will mostly work and other lookups will mysteriously fail,
>> perhaps a week in the future after they've forgotten what they've done.
>>  It
>> seems much more clear to just have nothing work until they fix their
>> config.
> I'm not really concerned at all about such issues.  Perhaps it is sad for me
> to say so, but they are inevitably someone else's problem, not mine.

Here's the problem. You are trying to enforce your view, since it's your current
problem. But I hope that's never going to happen in Unbound. We are supposed
to fixup the old wounds and not open them again and again.

>> The fact that it is in a cache or not and when it was retrieved is the
>> sensitive data, not the public data that was retrieved.
> That information is not really any more sensitive than anything else done on
> a _public_ network.

It is. Since anybody around the globe could query the cache - he doesn't have
to be MITM or sitting at the end points.

> If anyone can show me any real (i.e. no hand waving or ranting!) attacks
> where cache snooping is a very important contributor that cannot be replaced
> by other mechanisms then I'll certainly pay attention.

Ok, again. Reasoning "there are plenty of holes" so leave this open as well is
not going to make internet safer.

And I think we are really going offtopic - this is more general DNS issue than
Unbound specific.

Ondřej Surý <ondrej at>