[kwlug disc.] DNS security threat
Rashkae
rashkae at tigershaunt.com
Fri Aug 1 17:39:41 EDT 2008
Chris Frey wrote:
> On Fri, Aug 01, 2008 at 10:00:47AM -0400, Rashkae wrote:
>> Here's how the attack works. let's suppose, I want to poison a DNS
>> cache so any request for www.google.com will instead go to a malware phony.
>
> [...]
>
>> What's new with this 'attack' is, when I send my spoof, not only do I
>> have an A record for something useless like aaaa.google.com, but it
>> turns out, thanks to DNS design, I can include any *other* google.com
>> record, and it will ovewrite cache.
>
> [...]
>
>> As far as the patch goes, as fas as I can tell, it only makes the DNS
>> server randomize the IP port it uses to make the initial connection.
>
> Maybe I'm missing something, but wouldn't the correct fix for this be
> for the DNS server to only cache data that it specifically asked for?
>
> What side effects to such a fix am I missing?
>
For reasons that are a bit beyond my personal understanding, it's part
of the DNS standard that a Authorative server can include records for
other hosts as part of it's reply to a query. The real flaw is in the
protocol itself, and this patch is only a sloppy band-aid.
More information about the KWLUG-Disc
mailing list