DNSPROXY APPLICABILITY
Consider an internal network with multiple zones and public IPs, isolated
through a packet filter. Each zone has its own DNS. By allowing entry of
any request to NS CACHE then it may result at data contamination.
When you enter a DNS redirector commonly found, one can ensure they do
not check if that request is, or not, about an inner zone.
The existence of such condition is possible only if there is an input filter,
operating as a redirector, and checking the contents of the request
belongs to the interior zones. This is the purpose of this dnsproxy.
An example:
Suppose a domain exemplo.com with internal zones i1.exemplo.com,
i2.exemplo.com and i3.exemplo.com. Some questions about the external system
perigo.sem is sent to the NS zone i1.exemplo.com. In doing so, the internal
NS cache, if not properly configured (recursion off), may query the
root-servers and send the response. However, if the malicious requester also
send fake responses directing to that NS then can have the internal cache
contamination.
The dnsproxy uses the source code of the dnscache DJBDNS, Daniel Bernstein,
with some modifications. The resource was developed by Lucio Henrique
Franco under the orientation of Ulisses Guedes.
The application was in operation from 2004 to 2011, at network of Brazilian
Space Research Institute (INPE/SJC) which proves its efficiency. At middle
of 2011, the application was disabled due to a BUG of BIND, when ISC was
implementing and testing the EDNS, that allows packets of DNS PROTOCOL
with more than 512 bytes, that is not accepted by dnscache.
The original code djbdns,
djbdns-1.0.5,
the complete source code of dnsproxy (
djbdns-1.0.5-Ulisses)
and a patch file (diff) (
djbdns-1.0.5-ulisses.diff.gz)
are available for download.
Modified versions include updating the root-servers in 2004, once the
original djbdns-1.0.5 was conceived in 2001.