/
857.txt
161 lines (113 loc) · 7.19 KB
/
857.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
[37] [DFN[[RUBYB[DNSキャッシュ]@en[DNS cache]]]]は、
[[名前解決]]の結果を[[キャッシュ]]するものです。
[[名前解決]]はそれなりの時間を要する操作なので、
[[キャッシュ]]を使うのが普通です。
[23] [[プラットフォーム]]の[[名前解決器]]は、普通、[[名前解決]]の結果を[[キャッシュ]]します。
[24] [[Webブラウザー]]の[[名前解決器]]も、[[名前解決]]の結果を[[キャッシュ]]します。
[35] [[DNSサーバー]]も、普通、問い合わせに回答するため[[名前解決]]した結果を[[キャッシュ]]します。
;; [36] [[プラットフォーム]]や[[Webブラウザー]]の[[キャッシュ]]は、
[[DNS]] 以外の[[名前解決]]方式も含めた[[キャッシュ]]になっているかもしれません。
従って厳密には[[DNSキャッシュ]]と呼ぶべきではないかもしれません。
* 保持期間
[25] [[Chrome]] は最低1分[[キャッシュ]]します [SRC[>>21]]。
[31] [[Firefox]] の標準設定では1分[[キャッシュ]]します [SRC[>>30]]。
[29] [[IE]] は30分[[キャッシュ]]します [SRC[>>2]]。
[26] [[Windows]] は最低5分[[キャッシュ]]します [SRC[>>21]]。
[28] [[Squid]] の標準設定では最低1分[[キャッシュ]]します [SRC[>>27]]。
* キャッシュ回避
[33] [[Chrome]] は[[再読み込み]]時に [[DNSキャッシュ]]を無視するようです [SRC[>>22]]。
[34] なお、[[再読み込み]]によって[[部分資源]]を [[fetch]] するときに毎回[[名前解決]]が[[キャッシュ]]なしで実行されるのは好ましくないと思われます。
* 歴史
[1] [CITE[Why Web Browser DNS Caching Can Be A Bad Thing | Dyn Blog]]
([TIME[2015-03-21 00:54:31 +09:00]] 版)
<http://dyn.com/blog/web-browser-dns-caching-bad-thing/>
[2] [CITE@en-us[How Internet Explorer uses the cache for DNS host entries]]
([TIME[2015-03-21 00:55:14 +09:00]] 版)
<https://support.microsoft.com/en-us/kb/263558>
[3] [CITE@ja-JP[PROXY(プロキシ)経由でのDNSリバインディングと対策 - 徳丸浩の日記(2010-04-06)]]
([[徳丸浩]] 著, [TIME[2012-11-13 18:14:47 +09:00]] 版)
<http://www.tokumaru.org/d/20100406.html>
[4] [CITE@ja[クラウド時代はDNS Pinningが落とし穴になる | 水無月ばけらのえび日記]] ([TIME[2015-03-20 17:44:13 +09:00]] 版) <http://bakera.jp/ebi/topic/4516>
[5] [CITE[Protecting Browsers from DNS Rebinding Attacks]]
([TIME[2007-10-18 06:22:18 +09:00]] 版)
<http://crypto.stanford.edu/dns/dns-rebinding.pdf>
[6] [CITE@en[Notes on DNS Pinning - random dross - Site Home - MSDN Blogs]]
([TIME[2015-03-21 01:10:33 +09:00]] 版)
<http://blogs.msdn.com/b/dross/archive/2007/07/09/notes-on-dns-pinning.aspx>
[7] [CITE@en[689835 – Dns rebinding attack using cached resources]]
([TIME[2015-03-21 01:20:36 +09:00]] 版)
<https://bugzilla.mozilla.org/show_bug.cgi?id=689835>
[8] [CITE[Issue 98357 - chromium - Security: browser dns rebinding attack using cached resources - An open-source project to help move the web forward. - Google Project Hosting]]
([TIME[2015-03-21 01:20:51 +09:00]] 版)
<https://code.google.com/p/chromium/issues/detail?id=98357>
[9] [CITE@en[162871 – DNS: problems with new DNS cache ("pinning" forever)]]
([TIME[2015-03-21 01:22:20 +09:00]] 版)
<https://bugzilla.mozilla.org/show_bug.cgi?id=162871>
[10] [CITE@en[151929 – DNS: TTL (time-to-live) support in DNS cache]]
([TIME[2015-03-21 01:37:19 +09:00]] 版)
<https://bugzilla.mozilla.org/show_bug.cgi?id=151929>
[11] [CITE[Protecting Browsers from DNS Rebinding Attacks]]
([TIME[2009-08-03 07:55:07 +09:00]] 版)
<http://www.adambarth.com/papers/2009/jackson-barth-bortz-shao-boneh-tweb.pdf>
[FIG(quote)[
[FIGCAPTION[
[12] [CITE[Network Portal Detection - The Chromium Projects]]
([TIME[2015-03-21 10:14:33 +09:00]] 版)
<http://www.chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection>
]FIGCAPTION]
> Many, or perhaps most, captive portals found in Hotels, Coffee Shops, Airports, etc, either run their own DNS server which returns IP address for all queries which point to their webserver, or they intercept all HTTP web traffic and return a 302 (redirect) response.
]FIG]
[13] [CITE[DNS Prefetching - The Chromium Projects]]
( ([TIME[2016-06-16 10:04:56 +09:00]]))
<https://www.chromium.org/developers/design-documents/dns-prefetching>
[14] [CITE@en[149943 – Use "DNS pinning" to prevent Princeton-like exploits]]
( ([TIME[2016-06-16 18:34:47 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=149943>
[15] [CITE@en[168566 – DNS: find way of supporting network.dnsCacheExpiration]]
( ([TIME[2016-06-16 18:47:27 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=168566>
[16] [CITE@en[151929 – DNS: TTL (time-to-live) support in DNS cache]]
( ([TIME[2016-06-16 18:51:25 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=151929>
[17] [CITE@en[981447 – dns cache too sticky!]]
( ([TIME[2016-06-16 18:52:36 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=981447>
[18] [CITE[How to clear/flush the DNS cache in Google Chrome? - Super User]]
( ([TIME[2016-06-16 19:11:19 +09:00]]))
<http://superuser.com/questions/203674/how-to-clear-flush-the-dns-cache-in-google-chrome>
[19] [CITE[各種端末でDNSキャッシュをクリアする方法 - Disce gaudere. 楽しむ事を学べ。]]
( ([TIME[2016-03-08 14:56:36 +09:00]]))
<http://d.hatena.ne.jp/keroring/20150115/1421308062>
[20] [CITE@en[Issue 566492 - chromium - Security: Previous DNS settings are still used even after changing networks - Monorail]]
( ([TIME[2016-06-16 19:25:46 +09:00]]))
<https://bugs.chromium.org/p/chromium/issues/detail?id=566492>
[FIG(quote)[
[FIGCAPTION[
[21] [CITE@en[Issue 157243 - chromium - Keep addresses in HostCache for at least a minute, even when using the built-in async DNS resolver. - Monorail]]
( ([TIME[2016-06-16 19:31:18 +09:00]]))
<https://bugs.chromium.org/p/chromium/issues/detail?id=157243>
]FIGCAPTION]
> Yes. The plan is to keep addresses in HostCache for at least one minute regardless of the TTL obtained from the server.
> Windows apparently caches results for 5 minutes.
>
]FIG]
[22] [CITE@en[Issue 42528 - chromium - Chrome/Chromium caches negative DNS responses and ignores changes to /etc/resolv.conf - Monorail]]
( ([TIME[2016-06-16 19:56:47 +09:00]]))
<https://bugs.chromium.org/p/chromium/issues/detail?id=42528>
[FIG(quote)[
[FIGCAPTION[
[27] [CITE[squid : negative_dns_ttl configuration directive]]
( ([TIME[2016-05-25 15:13:11 +09:00]]))
<http://www.squid-cache.org/Doc/config/negative_dns_ttl/>
]FIGCAPTION]
> Time-to-Live (TTL) for negative caching of failed DNS lookups.
This also sets the lower cache limit on positive lookups.
Minimum value is 1 second, and it is not recommendable to go
much below 10 seconds.
]FIG]
[30] [CITE@en[Network.dnsCacheExpiration - MozillaZine Knowledge Base]]
( ([TIME[2010-12-04 05:01:34 +09:00]]))
<http://kb.mozillazine.org/Network.dnsCacheExpiration>
[32] [CITE@en[30917 – implement DNS caching and request cancelation]]
( ([TIME[2016-06-16 21:13:24 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=30917>