[kwlug disc.] DNS security threat
john at netdirect.ca
john at netdirect.ca
Fri Aug 1 17:49:59 EDT 2008
kwlug-disc-bounces at kwlug.org wrote on 08/01/2008 04:23:31 PM:
> Maybe I'm missing something, but wouldn't the correct fix for this be
> for the DNS server to only cache data that it specifically asked for?
>
> What side effects to such a fix am I missing?
It needs to cache information related to a request. For example a server
may request the name server for a zone. That's usually expressed as a host
name and it's often within the zone data. The response to a name server
query might be this "mycompany.com. 38400 NS ns1.mycompany.com.". The
response basically says the name server for the zone in question is
ns1.mycompany.com, cache it for 86400 seconds (1 day). Now what does the
name server do to resolve ns1.mycompany.com to an IP address? It does a
name server query to determine how to resolve the host name which starts
out where we began. It would be an endless loop. So the solution is to
provide an additional response that includes the A record for
ns1.mycompany.com.
I can't think of any other examples that require a double result.
Additional responses are accepted if they come from the same zone. In
other words if an additional result was sent that includes a record within
"mycompany.com" it was accepted because the name server felt it was
talking to an authorized name server. This was called a bailiwick. If a
response was given for a name that wasn't in the zone it was ignored.
This wasn't always the case. Early versions of name servers didn't check
this and it was the focus of another poisoning exploit years ago.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserv.ccjclearline.com/pipermail/kwlug-disc/attachments/20080801/b1babab2/attachment.htm
More information about the KWLUG-Disc
mailing list