Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.BSM.4.64L.2406231849390.22076@herc.mirbsd.org>
Date: Sun, 23 Jun 2024 18:52:54 +0000 (UTC)
From: Thorsten Glaser <tg@...bsd.de>
To: musl@...ts.openwall.com
cc: Jan Mercl <0xjnml@...il.com>, Lance Yang <ioworker0@...il.com>
Subject: Re: [PATCH 1/1] improve DNS resolution logic for parallel
 queries

Lance Yang dixit:

>I understand your concern that continuing the search after receiving an
>NXDOMAIN response might pose a security risk. Will look into this issue

It’s not (just) a security risk, it’s how DNS works.

NXDOMAIN means “I am a nameserver responsible for resolving your
query, and I can state with confidence that the entry you requested
does not exist” so no other responsible nameserver’s response can
rightly differ.

If you need to merge different zones together, the normal method is
running a caching nameserver like dnscache from DJBDNS and configuring
it to ask specific upstream nameservers for specific zones, for example
“echo 192.168.178.1 >/service/dnscache/root/servers/box”, then it will
ask the normal root zone for normal requests but for *.box it’ll ask
a local Fritz!box instead.

bye,
//mirabilos
-- 
Solange man keine schmutzigen Tricks macht, und ich meine *wirklich*
schmutzige Tricks, wie bei einer doppelt verketteten Liste beide
Pointer XORen und in nur einem Word speichern, funktioniert Boehm ganz
hervorragend.		-- Andreas Bogk über boehm-gc in d.a.s.r

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.