dnsparanoia broken in 1.0.11?
nextime at nexlab.it
nextime at nexlab.it
Wed Apr 2 17:03:04 UTC 2008
On Wed, Apr 02, 2008 at 01:04:10PM +0200, Gunther Mayer wrote:
> wlan at mac.com wrote:
>> No, it looks to be doing it's job. It drops packets with type codes other
>> than 1 (A records) and 5 (CNAME records). Perhaps it is being too
>> restrictive...
> If you are right then it definitely is being too restrictive as my firefox
> really is taking forever(>20sec) to resolve my uamserver (without
> dnsparanoia it's lightning fast). Not sure though what types 2, 6 and 12
> really are and if it really is firefox that's causing them. Else I think
I don't think that permitting only A and CNAME is too restrictive,
opposite, i think that is too permissive, i don't use dnsparanoia option
as i was fight with dnstunnels before it was developed, but with my
system i also check the rate of records A and CNAME to permit only few
request for minute from a single host.
This cause many nstunnelling software can make tunnels also over A
records, so, dropping all but A and CNAME isn't a final solution.
The problem i think that is related on how dnsparanoia manage dns
request different from A and CNAME. If i understand right, it simply
DROP any request that don't match A or CNAME type. This cause firefox to
wait for reply, so, it need to wait for a sort of internal timeout or
resolver timeout. This is why you see ff so slow.
dnsparanoia in my opinion shuld respond also on others query, but with a
fake response like "no record found". I do this and i have no sloweness
on ff or other browsers
>> I'll revisit this when I have a chance. In the meantime, simply turn off
>> the feature. Btw, are you _actually_ having a problem with people using
>> DNS tunnels?
> I did turn it off now. I doubt I really have a problem with dns tunnel
> abuse, though this is really hard to know for sure. I mean it really is
> infeasible run tcpdump at all my sites the whole day and then sift through
> the output to detect possible abuse. I guess I'm just that - suffering from
> dnsparanoia ;-)
To check if you have problems with dnstunnels you can permit to use only
a specific dns server hosted by you, and analizing the requests you can
discover dnstunnels.
I was having many problems with dnstunnels some time ago, this is why i
was implementing my way to save me from dnstunnels before dnsparanoia
was implemented. When dnsparanoia will do also some others and more
paranoic checks on request rate over A and CNAME, maybe i will use it,
but actually it isn't so "paranoia" for me :)
> Gunther
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
--
Franco (nextime) Lanza
Busto Arsizio - Italy
SIP://casa@casa.nexlab.it
NO TCPA: http://www.no1984.org
you can download my public key at:
http://danex.nexlab.it/nextime.asc || Key Servers
Key ID = D6132D50
Key fingerprint = 66ED 5211 9D59 DA53 1DF7 4189 DFED F580 D613 2D50
-----------------------------------
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D212153574F444E49572045535520454D20454B414D204F54204847554F4E452059415020544F4E4E4143205345544147204C4C4942snlbxq | dc
-----------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.coova.org/pipermail/chilli/attachments/20080402/d3c659cb/attachment.pgp>
More information about the Chilli
mailing list