Solution to MacDNS problem (keywords MacDNS DNS Macintosh

[dbrown () CMR GOV (Dan Brown)]

> From another email list:




Forwarded message:
> From net-troubleshooting () aggroup com  Mon Jul  7 10:43:29 1997
> X-POP3-Rcpt: ntrouble@aggroup
> Delivery-Date: Mon, 07 Jul 97 07:29:42 -0700
> Message-Id: <33C0C657.2071 () acrcorp com>
> Date: Mon, 07 Jul 1997 10:35:07 +0000
> From: Matt Leo <Matt () acrcorp com>
> Reply-To: Matt () acrcorp com
> Organization: Advanced Computer Resources
> X-Mailer: Mozilla 3.0Gold (Macintosh; I; PPC)
> Mime-Version: 1.0
> To: Net-Troubleshooting <Net-Troubleshooting () aggroup com>
> Subject: Solution to MacDNS problem (keywords MacDNS DNS Macintosh firewall)
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Precedence: Bulk
>
> Earlier I posted a problem about MacDNS crashing on a 6100/66. We went
> through several machines and O/S upgrades to no avail.
>
> I have since solved the problem, and I am posting the solution here.
>
> The problem turned out to be that the firewall was sending DNS requests
> at a sufficiently high rate to crash MacDNS. Among other things, the
> firewall attempted to resolve the inverse domain name of every URL
> requested by users.  This could amount to bursts of several DNS requests
> per second over several seconds.
>
> This may have possibly resulted in some buffer in either the MacOS or
> MacDNS being overrun (Warning: this might be used for a D.O.S. attack on
> sites using MacDNS) and a subsequent O/S crash.  This problem may or may
> not apply to other Mac based DNS products.
>
> The solution is to reconfigure the bastion host to use its own name
> resolver.  However, this may expose some internal DNS information to the
> outside world;  we are considering using packet filtering to address
> this problem.


--
Dan Brown
dbrown () seismo css gov