[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks

[Aaron Hopkins]

On Sat, 14 Feb 2009, Greg A. Woods; Planix, Inc. wrote:
> I.e. anyone can see anything in my cache except my private data, but they 
> wouldn't be able to force me to try to load anything into my cache.  Only 
> clients sending queries from locally "trusted" networks would get full 
> recursion and caching services.

Cache snooping lets anyone see who you've been talking to, when you looked
it up, and when the cache will expire.  This can aid many different attacks;
for a cliched example, would you knowingly publish a list of which financial
institutions your users are logged into at any given time?  Can you see how
doing so might aid social engineering, phishing, or cross-site-scripting
attacks?

It also complicates the end-user experience.  If someone hardcodes my DNS
servers into their machine and moves off of my network, lookups of popular,
cached RRs will mostly work and other lookups will mysteriously fail,
perhaps a week in the future after they've forgotten what they've done.  It
seems much more clear to just have nothing work until they fix their config.

> Personally I also think this should be the only way any DNS cache should work 
> -- i.e. it should be the only mode of operation.  Public (DNS) data 
> should remain public no matter where it is stored.

The fact that it is in a cache or not and when it was retrieved is the
sensitive data, not the public data that was retrieved.

BIND allowing cache snooping when you have recursion disabled is a bug, not
a feature.  It shouldn't be pushed into other servers.

                                     -- Aaron