D. J. Bernstein
Internet publication
DNScache
Advertising
Security
Security features:
- dnscache runs as a dedicated non-root uid inside a chroot jail,
so it can't touch the rest of the machine.
- tinydns runs as another dedicated non-root uid inside its own chroot jail.
- pickdns runs as another dedicated non-root uid inside its own chroot jail.
- walldns runs as another dedicated non-root uid inside its own chroot jail.
- dnscache discards
DNS queries from outside a specified list of IP addresses.
- dnscache and the dns library
use a new query ID and a new UDP port for each query packet.
They discard DNS responses from any IP address
other than the one that the corresponding query was just sent to.
- dnscache uses a cryptographic generator
to select unpredictable port numbers and IDs.
- dnscache is immune to cache poisoning.
- tinydns, pickdns, and walldns
never cache information.
They do not support recursion.
Security metafeatures:
- Security was, and is, one of the primary motivations
for the development of DNScache.
Every step of the design and implementation
has been carefully evaluated from a security perspective.
- The DNScache package has been structured
to minimize the complexity of security-critical code.
The package is modularized for easy review.
- Bug-prone coding practices and libraries
have been systematically identified and rejected.
Beware, however, that the DNS infrastructure
is inherently vulnerable to
forgery.