The problem with nscd (was RE: NetworkManager & bind)
Alan Cox
alan at redhat.com
Tue Jan 18 14:34:34 UTC 2005
On Tue, Jan 18, 2005 at 08:23:23AM -0600, Rodolfo J. Paiz wrote:
> It is CERTAINLY not a reason to install BIND on all desktops. Bloat,
> increased resource requirements, increased security risk, slower system
> response, pick your reasons... all of these are applicable and true to
> some degree.
Definitely true. In addition bind won't work at all through a strong firewall
or worse yet can be used for systematic DoS attacks aimed at taking out
NAT tracking firewalls running UDP sessions. These attacks are very well
known and understood. [1]
Installing bind is not a solution.
Alan
[1] It goes like this
Your NAT box has finite resources for UDP sessions
If you visit a web page I control then I can serve a page that includes
an iframe reloading continually each time with a new DNS query
required all of which point to a host I control.
After about 60,000 dns queries (maybe only a couple of minute) you are out
of UDP ports. Worse yet in many cases you will be querying my DNS server
from your DNS server and making temporary holes in the firewall between the
two. I can now see through your firewall in limited ways with probable port
reuse going to land me access to something.
More information about the fedora-test-list
mailing list