Bugtraq mailing list archives
Re: The out-of-domain NS registration attack
From: sanford.whiteman () INTERNAL CONVEY COM (Sanford Whiteman)
Date: Fri, 17 Mar 2000 13:05:06 -0500
Dave, you are certainly correct. We just performed a giant name server migration and can verify that NSI's database has dual primary keys, or what-have-you, that prevent the attack. A name server's IP address can only be associated with one NIC handle...once you bind a hostname to the IP, the hostname is bound to the NIC handle as well. The only way to change this information is to be the contact for the name server's domain. No one else can duplicate either of the keys. Sandy -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of David, Gover Sent: Wednesday, March 15, 2000 3:55 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: The out-of-domain NS registration attack On Tue, 14 Mar 2000, D. J. Bernstein wrote:
Let's say an attacker wants to steal your mail to hotmail.com.
[snip]
The attacker then registers a new domain with NSI, using ns1.jsnet.com as the domain's server name, but his own IP address for ns1.jsnet.com: zerosecurity.com NS ns1.jsnet.com ns1.jsnet.com A 5.6.7.8
Afaik, you will be unable to do this, as for each host record at NSI, they also hold an IP address. When you specify ns1.jsnet.com as an NS for your domain, the IP address NSI already holds for this hostname is used. Even if you are able to specify a different address for 'ns1.jsnet.com' on your application form, NSI (should|will) either reject it, or ns1.jsnet.com will have both the old, and new A record on NSI's nameservers. Couldn't this lead to other major problems apart from stealing email? It's a while since I've registered a domain name with NSI, and so things may work slightly differently, than I have stated or expect.. Dave
Current thread:
- The out-of-domain NS registration attack D. J. Bernstein (Mar 13)
- Re: The out-of-domain NS registration attack David Terrell (Mar 14)
- Re: The out-of-domain NS registration attack David, Gover (Mar 15)
- Re: The out-of-domain NS registration attack D. J. Bernstein (Mar 20)
- Last call for paper - Raid 2000 - Deadline is March 31st Herve Debar (Mar 21)
- <Possible follow-ups>
- Re: The out-of-domain NS registration attack Sanford Whiteman (Mar 17)
- Re: The out-of-domain NS registration attack Chris Adams (Mar 20)