| Author | Message | Time |
|---|---|---|
| Thing | Installing and configuring the nscd daemon can greatly improve the performance of any activity that requires host lookups. Examples would be web browsing, ftping, wgeting, etc. Tools you will need: 1. nscd 2. keyboard 3. device or fingers to clickey click the keyboard 4. file editing skills Instructions: 1. install nscd 2. configure nscd.conf 3. start nscd 4. set nscd to start at boot By default /etc/nscd.conf contains: enable-cache. . hosts. . no Change it to: enable-cache. . hosts. . yes The positive ttl and negative ttl are displayed in seconds. Set them to a reasonable value. Mine are positive = 86400 and negative = 20. Important! If you are running a service that relies on forward/reverse lookup checks, don't do this! An example would be, if you are running an smtp server which only accepts email from a host with a valid ptr record. Average home users should see a significant increase in performance because we are reducing the number of lookups your machine has to perform. | February 8, 2004, 3:34 PM |
| Adron | [quote author=Thing link=board=2;threadid=5170;start=0#msg43112 date=1076254498] Important! If you are running a service that relies on forward/reverse lookup checks, don't do this! An example would be, if you are running an smtp server which only accepts email from a host with a valid ptr record. [/quote] Why not? | February 8, 2004, 3:37 PM |
| Thing | Quote from Security Focus: [quote] The Name Service Cache Daemon (nscd) has a default behavior that does not allow applications to validate DNS "PTR" records against "A" records. In particular, nscd caches a request for a "PTR" record, and when a request comes later for the "A" record, nscd simply divulges the information from the cached "PTR" record, instead of querying the authoritative DNS for the "A" record.[/quote] As far as I know, this is still the case. It is terribly unimportant for an average home user. | February 8, 2004, 3:51 PM |
| Adron | [quote author=Thing link=board=2;threadid=5170;start=0#msg43118 date=1076255470] As far as I know, this is still the case. It is terribly unimportant for an average home user. [/quote] I'd say that could be terribly important for a home user... What are the ways to force someone to do a ptr lookup? Access something that generates a log entry on his machine? If you can fool the home user into doing a ptr lookup for your IP, and return www.citibank.com, then you can do a perfect hijack of that site? | February 9, 2004, 5:56 AM |
| Thing | Netscape, Konqueror, Opera and Mozilla all have their own built in resolvers. They utilize the DNS resolver libraries but don't query the nscd db. | February 9, 2004, 2:16 PM |
| Adron | [quote author=Thing link=board=2;threadid=5170;start=0#msg43296 date=1076336190] Netscape, Konqueror, Opera and Mozilla all have their own built in resolvers. They utilize the DNS resolver libraries but don't query the nscd db. [/quote] Hmm, so that must reduce the usefulness of nscd.. What does query it? Telnet/b.net/irc etc? | February 9, 2004, 6:40 PM |