DNS/Deadwood/検索動作/3について、ここに記述してください。
1. Handling "incomplete" answers
Deadwood does not store name server referrals as NS records nor incomplete CNAME referrals as CNAME records.
- Deadwood uses special records for storing these incomplete records.
In the case of either a glueness NS referral or an incomplete CNAME answer,
- Deadwood will create a sub-query to answer the query in question.
This query is a new query that starts at the root to resolve a given name.
2. Choosing what to cache
Unlike other DNS resolvers, Deadwood does not indiscriminately add records to the cache that
- are seen in the additional records section of a DNS answer, even if the answers are "in bailiwick".
This protects Deadwood from the Kaminsky DNS attack where
- someone can try and get "www.paypal.com" to point to a phishing page
by sending queries like "0000001.paypal.com", "0000002.paypal.com", and so on, along with spoofed answers which have a very small chance of being accepted.
The spoofed answers to the query have, in the additional records section, the DNS record "www.paypal.com has the IP 10.6.6.6" and "10.6.6.6" points to a phishing page.
If someone tries this attack on Deadwood, a successful spoof will only affect meaningless records like "62f8ec94.paypal.com".
Mueller 型攻撃には触れられていない -- ToshinoriMaeno 2014-06-26 23:33:05