nanog mailing list archives
Re: how to protect name servers against cache corruption
From: "Jay R. Ashworth" <jra () scfn thpl lib fl us>
Date: Wed, 30 Jul 1997 09:15:35 -0400
On Wed, Jul 30, 1997 at 04:38:59AM -0000, tqbf () smtp enteract com wrote:
itself, and I'm inclined to believe him when he says there are no more trivial fixes. If you know of one, why don't you share it? I'm notFair enough. Here's a simple piece of input. If BIND 8.1.1 receives a DNS query response with an invalid query ID, it logs it and drops the packet. However, the invalid query ID is evidence of an attack in progress. Why doesn't BIND parse the packet, find out what question is being answered, and immediately re-issue the query with a different ID?
If a copy of BIND _receives_ a query, decides it's bogus, logs it, and drops it, then a question isn't _being_ answered, it's bing _asked_. Why _would_ BIND re-issue a query. it hadn't _issued_ that query in the first place. Or, in simpler terms, "huh"?
In other words, it's possible for BIND to detect that it is under attack (in a response-forged query-ID guessing situation). BIND doesn't do anything about this. Why?
This isn't so much a security bug, but more a lack of a security-enhancing feature. It _certainly_ doesn't merit the veiled character assination you've been using it to justify.
Just the simplest suggestion I can come up with (without having this go into multiple pages) to convey the idea that I am trying to be constructive here.
You've failed.
I'm not sure this is the appropriate forum for this discussion (*copout*Ididn'tstartthisthread*copout*), but if you want further details as to my harebrained suggestions, I'm happy to give them!
Time to move this to bind-workers, no? Perry, Paul? Cheers, -- jra -- Jay R. Ashworth jra () baylink com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
Current thread:
- Re: how to protect name servers against cache corruption, (continued)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Christopher Masto (Jul 29)
- Re: how to protect name servers against cache corruption tqbf (Jul 29)
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 30)
- Re: how to protect name servers against cache corruption tqbf (Jul 30)
- Re: how to protect name servers against cache corruption Deepak Jain (Jul 30)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 30)
- Message not available
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- off-topic (Re: how to protect name servers against cache corruption ) Paul A Vixie (Jul 29)
- Re: off-topic (Re: how to protect name servers against cache corruption ) Larry Vaden (Jul 29)