[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: caching dns lookups



Nadav Har'El wrote:

> Lastly, Dan, are you sure you really want to use a DNS cache? What was the
> reason you decided you wanted one?
> In most cases a DNS cache is not useful to "ordinary" modem users. Why?
[snip]


Security: if programs on your box query the ISP's DNS directly, they'll
do so from arbitrary (user) ports. In your packet filter you'll need to
allow incoming UDP packets and incoming TCP connections from port 53 of
your ISP's DNS to *any* port on your box. Worse yet, if you have a
firewalled LAN you need to forward all such packets/connections for any
box on the LAN. Major security issue (what if someone cracks your ISP's
DNS or spoofs it?). Connection tracking helps a bit, but is far from
perfect (esp. for UDP replies, since there is no explicit connection
close, so the "connection" is considered established long after the DNS
query was finished).

With a properly configured caching nameserver on your firewall, you just
need to allow packets/connections from port 53 of the ISP's DNS to port
53 of your box. If you're in LAN settings there's also the obvious
administration advantage.

In case I'm getting this wrong, well, so are the authors of every
firewall setup I've checked...

  Regards,
    Eran Tromer

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il