LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

glibc

glibc

Posted Aug 5, 2008 4:26 UTC (Tue) by rickmoen (subscriber, #6943)
In reply to: glibc by nix
Parent article: Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com) 

Nathan (ncm) might be thinking of the caching that transpires if you start the nscd
(nameservice 
caching daemon).  It's commonly used on systems with heavyweight lookup regimes (NIS, NIS+, 
LDAP) to prevent system performance from bogging down excessively, by locally caching lookup
of  
hosts, users, groups, services, RPC ports, netgroups, etc. but has the drawback that it
ignores TTL 
values on host lookups.  (That's a sufficient reason to disable host caching in /etc/nscd.conf
.)

The BIND8-derived stub resolver in glibc isn't a huge security risk on most systems despite
its 
haplessly failing to randomise UDP source ports, because the result doesn't get cached.
(Thus, 
sending it poisoned data in an ADDITIONAL SECTION portion of a recursive DNS response doesn't 
do the attacker much good, because the poison gets metaphorically flushed immediately.)  
However, such a system with nscd caching hostnames would have a problem.  (So, Don't Do That, 
Then.)

Rick Moen
rick@linuxmafia.com

(Log in to post comments)

glibc

Posted Aug 5, 2008 8:38 UTC (Tue) by nix (subscriber, #2304) [Link] 

nscd in glibc 2.8 honours TTLs.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds