glibc
glibc
Posted Jul 9, 2008 20:54 UTC (Wed) by nix (subscriber, #2304)In reply to: glibc by ncm
Parent article: Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com)
I can't see any sign that glibc's internal libresolv or nss-dns layer can be told to cache anything but DNS server addresses at all. (Of course nscd can cache DNS responses, and expire them.)
Posted Aug 5, 2008 4:26 UTC (Tue)
by rickmoen (subscriber, #6943)
[Link] (1 responses)
Posted Aug 5, 2008 8:38 UTC (Tue)
by nix (subscriber, #2304)
[Link]
glibc
Nathan (ncm) might be thinking of the caching that transpires if you start the nscd
(nameservice
caching daemon). It's commonly used on systems with heavyweight lookup regimes (NIS, NIS+,
LDAP) to prevent system performance from bogging down excessively, by locally caching lookup
of
hosts, users, groups, services, RPC ports, netgroups, etc. but has the drawback that it
ignores TTL
values on host lookups. (That's a sufficient reason to disable host caching in /etc/nscd.conf
.)
The BIND8-derived stub resolver in glibc isn't a huge security risk on most systems despite
its
haplessly failing to randomise UDP source ports, because the result doesn't get cached.
(Thus,
sending it poisoned data in an ADDITIONAL SECTION portion of a recursive DNS response doesn't
do the attacker much good, because the poison gets metaphorically flushed immediately.)
However, such a system with nscd caching hostnames would have a problem. (So, Don't Do That,
Then.)
Rick Moen
rick@linuxmafia.com
glibc
nscd in glibc 2.8 honours TTLs.