1. DNS/毒盛/tweetから
https://twitter.com/beyondDNS/status/444080744281821184
unbound.jp に書いてある「DNSキャッシュ汚染に対する耐性が強い」の根拠が分からない。 どこかに説明があるのだろうか。
https://twitter.com/beyondDNS/status/443541591945269248
Haya Shulman: "DNS Cache-Poisoning: New Attacks and Defenses"
However, we show how attackers may be able to circumvent those defenses and poison in spite of them; specifically: - Circumvent source port randomisation, in the (common) case where the resolver connects to the Internet via different NAT devices. - Circumvent IP address randomisation supported by standard-conforming resolvers. - Circumvent query randomisation, including both randomisation by prepending a random nonce and case randomisation (0x20 encoding).
http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf
https://twitter.com/beyondDNS/status/443540344295002112
https://www.ida.liu.se/~TDDC03/literature/dnscache.pdf
Recommended Defenses Against DNS Cache Poisoning
https://unbound.net/documentation/patch_announce102.html unbound patch 2008