为什么 mDNS(Bonjour、Avahi 等)使用 UDP?
在我看来,DNS 的许多问题,特别是安全问题,其根本原因都是通过 UDP 实现的 DNS;例如,响应者不必是他所说的那个人。
我不知道 mDNS 协议的细节(我认为它比 DNS 新得多),也许它在应用程序级别解决了这些问题。有人能为我解释一下吗?
It seems to me that a lot of the problems with DNS, particularly security problems, have the root cause of DNS being implemented over UDP; for example the responder doesn't have to be who he says he is.
I don't know the details of mDNS protocol (which I assume is much newer than DNS), maybe it takes care of these problems in its application level. Can anyone shed some light on this for me?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
mDNS 中的“m”代表“多播”。 mDNS 查询几乎是到本地子网的常规 DNS 查询多播(也称为广播)。子网上的每个主机都会接收所有 mDNS 查询数据包,并根据其主机名响应这些数据包。由于无法进行 TCP 广播,因此无法通过 TCP 实现 mDNS。
不过,这里有一个更基本的点,mDNS 已经完全不安全了。正如您所指出的,任何人都可以响应任何查询,因此您几乎必须信任网络上的所有主机。切换到 TCP(如果可以的话)并不能解决这个问题。
The 'm' in mDNS stands for "multicast." An mDNS query is pretty much a regular DNS query multicast (aka broadcast) to the local subnet. Every host on the subnet receives all mDNS query packets and responds to the ones for their host name. Since it isn't possible to do a TCP broadcast, you couldn't implement mDNS over TCP.
There's a more fundamental point here though, mDNS is already completely insecure. As you point out, anyone can respond to any query so you pretty much have to trust all the hosts on the network. Switching to TCP (if you could) wouldn't fix this problem.
Zeroconf 不关心安全性;安全性应该在上面的层实现。
TCP 不会有太大改变。这些问题必须通过密码学来解决。
Zeroconf is not concerned with security; security should be implemented in the layer above.
TCP wouldn't change much. These problems have to be solved cryptographically.