-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi David,
David Miller wrote: > I didn't realize that this had changed between 1.0.2 to the current SVN > version. > > How would one "change the acl to allow the cache snooping"? access-control: 127.0.0.0/8 allow_snoop or even access-control: 0.0.0.0/0 allow_snoop in the config file. > Does dig +trace really require "cache snooping"? Sounds ominously bad :-) Well, if you are willing to type @c.root-servers.net on the commandline (or make an alias), then it doesn't require snooping, I noticed. (the nonrecursive query is sent to the root server, instead of to the local resolver). dig +trace uses nonrecursive queries, which are useful for debugging. And dig is a debugging tool. But they are also used for 'cache snooping', which is where you probe the resolver to find out which domains are in the cache (i.e. what websites have been visited). > What is the downside of allowing this? The text above. Also it can be used to see which domains are not in the cache, which is useful to know for cache poisoning. You can only allow your own workstation, for example. Or make an alias digtrace="dig +trace @h.root-servers.net" > BTW: I find the +trace option amazingly useful in troubleshooting > reverse DNS delegations (see below). Yeah that is nice. > FYI: DJB has never supported queries with +trace. I am sure that he has > his reasons, but I don't believe that they have ever been publicly stated. Well I heard DJB disallows cache snooping as well, I think for the same reasons. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEUEARECAAYFAkjuGZ0ACgkQkDLqNwOhpPg9QACYmR6zK7kfqnSSZb1H0g/vJkhB xQCdGv5gC5xlLSo5yIyII8VvF88gkKY= =1Ey/ -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
