[kwlug disc.] DNS security threat

john at netdirect.ca john at netdirect.ca
Fri Aug 1 15:33:29 EDT 2008 

kwlug-disc-bounces at kwlug.org wrote on 08/01/2008 11:20:57 AM:
> No no,, you don't understand.. what you described is the classic cache
> poisoning technique.

Classic would be pre-bailiwick checks, where and additional response is 
given that doesn't apply to the original request.
 
> Kaminsky did something new, he figured out how to launch the attack
> repeatedly..

It's not clear exactly what the attack is but the most common speculation 
I've seen is repeated queries for domain names in the same domain, e.g. 
aaa1.google.ca, aaa2.google.ca, aaa3.google.ca, etc. Then return a result 
record that fits in the bailiwick, e.g www.google.ca and the DNS server is 
designed to take it. It's a race to beat the real google.ca server and 
guess the TXID. You can do it repeatedly because you're asking different 
questions which are not cached because they don't exist.

I'm suggesting that if you knew that a browser, email client, or mail 
server looked up names in a specific order you could interject a name from 
your DNS server with one from google.ca, eg:

<img src="http://zzzz1.mydns.com/blank.png">
<img src="http://aaaa1.google.ca/blank.png">
<img src="http://zzzz2.mydns.com/blank.png">
<img src="http://aaaa2.google.ca/blank.png">
<img src="http://zzzz3.mydns.com/blank.png">
<img src="http://aaaa3.google.ca/blank.png">
<img src="http://aaaa4.mydns.com/blank.png">
<img src="http://aaaa4.google.ca/blank.png">
<img src="http://zzzz5.mydns.com/blank.png">
<img src="http://aaaa5.google.ca/blank.png">

When your server saw a request for zzzz1 it would guess at a response to 
aaa1.google.ca as well if it new the client would process DNS queries in 
that order.

It wouldn't have to be a mail client or browser it could be something that 
the attacker could trigger a lookup.

 
> Contrary to what was said earlier, the vast majority of large DNS
> servers are publicly recursive.  (either to the ISP's subscribers, or
> even the world at large.) Prior to the patch, Kaminsky's exploit could
> poison and hijack entire domains in seconds, and indeed, there's an
> exploit in the wild that does this... Publicly accessible, unpatched DNS
> servers are now as good as 'P0wned,' I believe is how the kids say it 
now.

I'm surprised at that. I first started to see them close up many years ago 
and just assumed that all fell into line.-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserv.ccjclearline.com/pipermail/kwlug-disc/attachments/20080801/d0ebf308/attachment.htm

More information about the KWLUG-Disc mailing list