[kwlug disc.] DNS security threat

[john at netdirect.ca]

kwlug-disc-bounces at kwlug.org wrote on 08/01/2008 10:22:09 AM:

> If your internal DNS is set to only allow recursion for internal 
> IP's via the 'allow-recursion' option, then I believe it would be 
> impossible for an attacker to poison your cache since the only 
> values that would be entered into your cache would be ones that you 
> are authoritative for and ones that were added because of a query 
> from one of your internal IP's.

Having your DNS server recursively handle requests from systems outside 
your network is a risky idea. It makes this attack far easier to achieve 
and most name servers are configured to prevent this.

A name server configured as Steven suggests would not protect you and the 
exploit assumes that it is setup this way. An attacker can still trigger 
your name server to do things, at least in most cases. In a previous post 
I've mentioned sending an email with a reference to a remote object (image 
or CSS or script) will cause many email clients to lookup and download 
that object. That's the DNS request right there. Simply sending email (or 
connecting for that matter) to an email server can cause this as well 
since many email servers will perform DNS queries as part of spam 
filtering.

Patch your name server and convert your Microsoft Windows DNS server to 
Linux, heck just install Linux on the whole box;)-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserv.ccjclearline.com/pipermail/kwlug-disc/attachments/20080801/6a8ecae1/attachment.htm