Attachment 'FAQ.htm'
DownloadGbDns : FAQ ( Frequently Asked Questions )
What does installation do?
The executable, GbDns.exe, is copied to the folder C:\Program Files\GbDns\ ( which is created ).
Then a new windows service (GbDns) is created by the installer, configured to start automatically when you reboot.
It listens on 127.0.0.1, which is a special IP address that designates the local computer itself.
How do I uninstall GbDns?
To uninstall GbDns, reconfigure your DNS settings to their previous values, and re-run the GbDns.msi by double-clicking it, then follow the uninstall instructions ( which will allow you remove the software completely ). If you only want to temporarily revert to another DNS server, you need not re-run the installer. You can also uninstall using Control Panel / Add or Remove programs.
I'm currently using OpenDNS rather than my ISP's DNS, am I safe?
Maybe, maybe not*. GbDns is, as far as I know, the only DNS resolver that is not subject to spoofing ( as of April 2009 ).
Before August 2008, many servers did not use "port randomisation", which means they could be poisoned in just a few seconds.
The port randomization patch ( which is not universally deployed ) buys some security, but patched servers can still be compromised in about 8 hours.
See this interview with Dr Paul Mockapetris if you don't believe it!
*OpenDNS say they have "countermeasures which they will not be discussing publicly", which are therefore impossible to assess.
The potential consequences of cache poisoning are very serious, for example email and web access can be redirected, and it gives a sophisticated attacker complete control of most internet access for all users of the compromised cache.
A few other things to consider with OpenDNS:
1. You have to trust them. While I have no reason whatsoever to think OpenDNS are not trustworthy, a good principle in computer security is to minimise the number of people you trust. GbDns is open source software, subject to validation by yourself and third parties, OpenDNS is not.
2. OpenDNS is a potential centralised point of failure ( albeit the multicast system may be resilient to failure ).
3. OpenDNS is by it's nature an attractive target for an attacker.
4. Communications from your stub resolver to the OpenDNS server are potentially susceptible to spoofing attack.
Why are you doing this?
I became aware of the problem around July/August 2008, and realised that no proper solution to this security problem was available.
I decided to write some public domain software to solve the problem, because it seemed to me that the problem was serious.
It's been quite interesting for me, but I don't anticipate any personal benefit other than some satisfaction for contributing to internet security.
I'm using Linux, is there a Linux version?
Not at this time I'm afraid. If you have access to a Windows box, you can run GbDns on that, and set your DNS server IP address settings to the IP address of the Windows box. You will need to set the Firewall to allow incoming UDP connections to Port 53. Note that recursive service is limited by default to private IP addresses - that is, your local area network. You should consider that communication from the stub resolver to the cache is potentially susceptible to spoofing attack.
Alternatively www.mono-project.com would appear to allow C# programs to be ported to Linux.
Is it possible to flush the cache?
Yes, simply restart the Windows service. You can do this either from the Services manager ( Start / Control Panel / Administrative Tools / Services ), or from the command prompt, Net Stop GbDns, then Net Start GbDns.
Why should I use GbDns?
For security. The CERT vulnerability note, VU#800113 explains that you should "Run a local DNS cache". Also, it notes that NAT devices "can reduce source port randomness", which means that source port randomization cannot be relied on for security.
Instead of relying on source port randomization, GbDns defeats spoofing by sending the query two (or more) times, and checks the responses agree ( this is an over-simplification, but sufficient to understand the principle ). To the best of my knowledge, GbDns is the only DNS resolver that does this, and therefore appears to be the only secure solution to DNS resolution.
Attached Files
To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.You are not allowed to attach a file to this page.