On Wed, Dec 01, 2010 at 06:44:26PM +0300, Michael Tokarev wrote: > After several years of silence I'm about to release > a new version of udns, with just one bugfix and a change > from sequentional queue IDs for queries to random, using > a simple pseudo-random number generator by Bob Jenkins. > > This affects queueIDs _only_, not source port, because > by design udns uses just one port for all queries. > > The whole thing is still inherently insecure, even for > source port randomisation, as has been already said > several times - _all_ "simple" DNS resolves today are > vulnerable to attacks on high-bandwidth network such > as a typical LAN. So this change is in fact not an > improvement, even if it feels like that. > > I also plan to address a few defects and suggestions > I received during all these years. > > Not that I'm saying udns should now enter Debian, > just adding some information to the bug report. > > Thanks! > > /mjt > >
Thanks, Michael. I agree that the simplicity of using only one file descriptor is one of the strengths of udns. Although others have pointed out other problems with that (absence of TCP support, for example), I'd say udns is a very good library for stub resolving and it works very well with a full blown recursive resolver at localhost, like bind. Regarding the random TID support, will it require more memory consumption by udns? I still think udns can pretty much enter Debian, as long as we advise the user not to use it in a network that is not trusted. Pointing it out to a localhost recursive resolver should be enough. Perhaps, including a Recommends for such a resolver would be a plus to indicate that to the user. Anyway, good to hear again from you and that you're working in udns. Regards, Cascardo.
signature.asc
Description: Digital signature
