dnsparanoia broken in 1.0.11?

nextime at nexlab.it nextime at nexlab.it
Wed Apr 2 17:03:04 UTC 2008

On Wed, Apr 02, 2008 at 01:04:10PM +0200, Gunther Mayer wrote:
> wlan at mac.com wrote:
>> No, it looks to be doing it's job. It drops packets with type codes other 
>> than 1 (A records) and 5 (CNAME records). Perhaps it is being too 
>> restrictive...
> If you are right then it definitely is being too restrictive as my firefox 
> really is taking forever(>20sec) to resolve my uamserver (without 
> dnsparanoia it's lightning fast). Not sure though what types 2, 6 and 12 
> really are and if it really is firefox that's causing them. Else I think 

I don't think that permitting only A and CNAME is too restrictive,
opposite, i think that is too permissive, i don't use dnsparanoia option
as i was fight with dnstunnels before it was developed, but with my
system i also check the rate of records A and CNAME to permit only few
request for minute  from a single host.

This cause many nstunnelling software can make tunnels also over A
records, so, dropping all but A and CNAME isn't a final solution.

The problem i think that is related on how dnsparanoia manage dns
request different from A and CNAME. If i understand right, it simply
DROP any request that don't match A or CNAME type. This cause firefox to
wait for reply, so, it need to wait for a sort of internal timeout or
resolver timeout. This is why you see ff so slow.

dnsparanoia in my opinion shuld respond also on others query, but with a
fake response like "no record found". I do this and i have no sloweness
on ff or other browsers

>> I'll revisit this when I have a chance. In the meantime, simply turn off 
>> the feature. Btw, are you _actually_ having a problem with people using 
>> DNS tunnels?
> I did turn it off now. I doubt I really have a problem with dns tunnel 
> abuse, though this is really hard to know for sure. I mean it really is 
> infeasible run tcpdump at all my sites the whole day and then sift through 
> the output to detect possible abuse. I guess I'm just that - suffering from 
> dnsparanoia ;-)

To check if you have problems with dnstunnels you can permit to use only
a specific dns server hosted by you, and analizing the requests you can
discover dnstunnels.

I was having many problems with dnstunnels some time ago, this is why i
was implementing my way to save me from dnstunnels before dnsparanoia
was implemented. When dnsparanoia will do also some others and more
paranoic checks on request rate over A and CNAME, maybe i will use it,
but actually it isn't so "paranoia" for me :)

> Gunther
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4


Franco (nextime) Lanza
Busto Arsizio - Italy

NO TCPA: http://www.no1984.org
you can download my public key at:
http://danex.nexlab.it/nextime.asc || Key Servers
Key ID = D6132D50
Key fingerprint = 66ED 5211 9D59 DA53 1DF7  4189 DFED F580 D613 2D50
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D212153574F444E49572045535520454D20454B414D204F54204847554F4E452059415020544F4E4E4143205345544147204C4C4942snlbxq | dc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.coova.org/pipermail/chilli/attachments/20080402/d3c659cb/attachment.pgp>

More information about the Chilli mailing list