[isf-wifidog] [Fwd: SPECIFIC WEBSITES]

Sandro Mancuso
Sam 9 Avr 14:50:19 EDT 2005

I don't think it's a wise idea to not cache replies.  There's a reason
that functionality is built into almost all DNS servers.  Cache
poisoning (which I am doubtful is the case, because it requires someone
with sufficient patience to want to target specifically the wifi server)
does not occur simply because a dns server is caching replies.  What is
actually happening is the cracker is exploiting the very poor
randomness, which BIND 8 was known for.  BIND 9 addressed this issue,
and is significantly better.  DJBDNS is a small, simple daemon, and has
significantly better randomness for the serials of all replies.

I'm not actually running one of these yet because I'm not too sure how
this stuff runs on FreeBSD machines (and I'm liking OpenBSD's capability
to authorize access via ssh login - see authpf).  However surely you can
use some other sort of DNS server than dnsmasq and not need to combine
the functionality of DNS and dhcp into one daemon.

My two cents on this...

> On Apr 8, 2005 3:19 PM, Pascal Leclerc <isf at plec.ca> wrote:
> > DNS cache poisoning can cause intermittent probleme like what our
> users
> > are reporting. Wifidog does nothing with the DNS query (drop or let
> them
> > pass to dnsmasq).
> >
> > Can it be the anwser ?
> Maybe dnsmasq should or shouldn't be caching replies. How is it
> currently set up?
> If it isn't (caching dns replies, so just forwarding) then keep in
> mind that bellnexxia servers are often swamped (I get intermittant
> problems with the DNS servers they assign to me).
> If it is caching replies then maybe its eating up too much memory (or
> something involving hardware).
