| root@hat1:~# unbound-control status | head -1 version: 1.4.12 |
unbound.conf
| do-udp: no do-tcp: yes |
disable "do-udp" and "enable do-tcp".
unbound performs name resolution services for all domains by TCP queries.
| root@hat1:.../unbound# dig @127.1 www.google.co.jp ; <<>> DiG 9.9.0a2 <<>> @127.1 www.google.co.jp ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65056 ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.co.jp. IN A ;; ANSWER SECTION: www.google.co.jp. 345600 IN CNAME www.google.com. www.google.com. 604800 IN CNAME www.l.google.com. www.l.google.com. 300 IN A 72.14.203.105 www.l.google.com. 300 IN A 72.14.203.106 www.l.google.com. 300 IN A 72.14.203.99 www.l.google.com. 300 IN A 72.14.203.147 www.l.google.com. 300 IN A 72.14.203.103 www.l.google.com. 300 IN A 72.14.203.104 ;; Query time: 909 msec |
| root@hat1:~# tshark -i br0 port 53 Capturing on br0 0.000000 z.z.z.z -> x.x.x.x TCP 74 33277 > domain [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=764240 TSecr=0 WS=128 0.005809 x.x.x.x -> z.z.z.z TCP 74 domain > 33277 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSval=2710269251 TSecr=764240 WS=128 0.005886 z.z.z.z -> x.x.x.x TCP 66 33277 > domain [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=764242 TSecr=2710269251 |
TCP queries could reduce the risk of the cache poisoning compared to non-DNSSEC UDP queries.
However I think this is not good solutions against the cache poisoning considering the network latency , the overhead of TCP protocol , the load of Caching name servers , Authoritative name servers , network devices such as load balancer , firewall etc.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.