nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations

From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 18 Apr 2005 21:45:54 +0200

* Jason Frisvold:


I think this is more of a question of who to trust.  Caching, in
general, isn't a bad thing provided that TTL's are adhered to.  If the
poisoning attack were to inject a huge TTL value, then that would
compromise that cache.  (Note, I am no expert on dns poisoning, so I'm
not sure if the TTL is "attackable")


I'm not sure if you can poison the entire cache of a stub resolver
(which can't do recursive lookups on its own).  I would expect that
the effect is limited to a particular DNS record, which in turn should
expire after the hard TTL limit (surely there is one).
Previous By Date Next
Previous By Thread Next

Current thread: