[isf-wifidog] [Fwd: SPECIFIC WEBSITES]

[David Vincelli]

On Apr 9, 2005 2:50 PM, Sandro Mancuso <liquid at liquidonline.ca> wrote:
> I don't think it's a wise idea to not cache replies.  There's a reason
> that functionality is built into almost all DNS servers.  

It's my opinion too, but this is an embedded platform after all.
Though, IIRC the units have 16 megs of RAM which is more than enough.
We have no real need for a private DNS server on the routers anyway.
Forwarding w/ caching is all it does.

> Cache
> poisoning (which I am doubtful is the case, because it requires someone
> with sufficient patience to want to target specifically the wifi server)
> does not occur simply because a dns server is caching replies.  What is
> actually happening is the cracker is exploiting the very poor
> randomness, which BIND 8 was known for.  BIND 9 addressed this issue,
> and is significantly better.  DJBDNS is a small, simple daemon, and has
> significantly better randomness for the serials of all replies.

I wasn't implying that it was the case that our (dnsmasq) caches were
being poisoned. What I was implying is: maybe dnsmasq has a bug or
performs poorly in this environment (again, that's maybe - I'm not
making claims here).
 
> I'm not actually running one of these yet because I'm not too sure how
> this stuff runs on FreeBSD machines (and I'm liking OpenBSD's capability
> to authorize access via ssh login - see authpf).  

Well, isc-bind is pretty easy to set up. authpf is very nice but what
does it have to do with this topic?

> However surely you can
> use some other sort of DNS server than dnsmasq and not need to combine
> the functionality of DNS and dhcp into one daemon.

Maybe but it must have a very small footprint. I don't know which
packages are available for the linksys routers. Perhaps someone else
can provide the details..

-- 
David Vincelli