North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [Fwd: Re: DNS attacks evolve]
FYI. There was some question here about whether PowerDNS was vulnerable or not and what it was doing, so I asked Bert Hubert about it. Here is his answer: -------- Original Message -------- Subject: Re: [Fwd: Re: DNS attacks evolve] Date: Wed, 13 Aug 2008 21:29:50 +0200 From: bert hubert <[email protected]> To: Mike Leber <[email protected]> References: <[email protected]> On Mon, Aug 11, 2008 at 11:12:35AM -0700, Mike Leber wrote: Is there any post anywhere that provides more technical detail about how the PowerDNS cache is not vulnerable?
Near miss detection is documented here: http://doc.powerdns.com/built-in-recursor.html spoof-nearmiss-max If set to non-zero, PowerDNS will assume it is being spoofed after seeing this many answers with the wrong id. Defaults to 20. Some more is in: http://doc.powerdns.com/recursor-details.html I'll post a link to it and provide other operators a better answer than the equivalent of "because I say so". The answer could be anything such as "we reject updates to glue when", or "it takes 10 years based on these calculations...".
These calculations go beyond what powerdns 3.1.7 does however.
Or 1 year, or 2 years or a century. Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services
|