Wednesday 1 June 2016

Re: ANN: DNS resolver changes in yakkety

Martin Pitt [2016-06-01 9:21 +0200]:
> Sending 32768 packets at once doesn't buy you anything -- if the first
> one is right (presumably ID 0), you already won, and if it's wrong,
> the DNS transaction is already aborted, and The the other 32767
> packets spam will just go into the void. You need to actually do 32768
> fresh DNS queries -- and after you miss the first time, you need to
> wait for the TTL of the cached entry before you can actually do
> another attempt.

Sorry, the part after the "--" is actually wrong. If you do send a
forged entry with a wrong ID, then the response of the real DNS server
is discarded as well, so the lookup just fails. Thus you don't need to
wait for the TTL, this is simply a DoS.

> So again, disabling caching does not change the chances here at all.

This is still true with the above.

Martin

--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)