[kwlug disc.] DNS security threat
Rashkae
rashkae at tigershaunt.com
Fri Aug 1 17:41:19 EDT 2008
john at netdirect.ca wrote:
> kwlug-disc-bounces at kwlug.org wrote on 08/01/2008 11:20:57 AM:
>> No no,, you don't understand.. what you described is the classic cache
>> poisoning technique.
>
> Classic would be pre-bailiwick checks, where and additional response is
> given that doesn't apply to the original request.
>
>> Kaminsky did something new, he figured out how to launch the attack
>> repeatedly..
>
> It's not clear exactly what the attack is but the most common speculation
> I've seen is repeated queries for domain names in the same domain, e.g.
> aaa1.google.ca, aaa2.google.ca, aaa3.google.ca, etc. Then return a result
> record that fits in the bailiwick, e.g www.google.ca and the DNS server is
> designed to take it. It's a race to beat the real google.ca server and
> guess the TXID. You can do it repeatedly because you're asking different
> questions which are not cached because they don't exist.
>
> I'm suggesting that if you knew that a browser, email client, or mail
> server looked up names in a specific order you could interject a name from
> your DNS server with one from google.ca, eg:
>
> <img src="http://zzzz1.mydns.com/blank.png">
> <img src="http://aaaa1.google.ca/blank.png">
> <img src="http://zzzz2.mydns.com/blank.png">
> <img src="http://aaaa2.google.ca/blank.png">
> <img src="http://zzzz3.mydns.com/blank.png">
> <img src="http://aaaa3.google.ca/blank.png">
> <img src="http://aaaa4.mydns.com/blank.png">
> <img src="http://aaaa4.google.ca/blank.png">
> <img src="http://zzzz5.mydns.com/blank.png">
> <img src="http://aaaa5.google.ca/blank.png">
>
> When your server saw a request for zzzz1 it would guess at a response to
> aaa1.google.ca as well if it new the client would process DNS queries in
> that order.
>
> It wouldn't have to be a mail client or browser it could be something that
> the attacker could trigger a lookup.
So much for my security blanket *grumble.*.. I don't know how successful
such an attack would be, but It's probably only a matter of time before
someone tries.
More information about the KWLUG-Disc
mailing list