Re: how to protect name servers against cache corruption

["Perry E. Metzger" <perry () piermont com>]

tqbf () smtp enteract com writes:
> In article <19970730001246.22933 () netmonger net>, you wrote:
> > _details_.  Paul has written papers on DNS security, along with BIND
> > itself, and I'm inclined to believe him when he says there are no more
> > trivial fixes.  If you know of one, why don't you share it?  I'm not
>
> Fair enough.
>
> Here's a simple piece of input. If BIND 8.1.1 receives a DNS query
> response with an invalid query ID, it logs it and drops the packet.
> However, the invalid query ID is evidence of an attack in progress. Why
> doesn't BIND parse the packet, find out what question is being answered,
> and immediately re-issue the query with a different ID?

Oh, beautiful. I'd love a tool like that -- it would give me a way of
forcing copies of BIND that had been rigged not to accept arbitrary
outside queries to make queries of my choice. Were I a systems
cracker, I would love such a tool.

I can think of some other mean hacks I could do with that facility, too.

The problem is not a lack of "clever hacks". The problem is a lack of
security in the DNS protocols without DNSSEC.

> In other words, it's possible for BIND to detect that it is under attack
> (in a response-forged query-ID guessing situation). BIND doesn't do
> anything about this. Why?

Because the idea isn't very intelligent? Because not everyone on earth
is an idiot and stuff like this has been considered before by other
people and rejected because it wasn't a brilliant idea?

> Just the simplest suggestion I can come up with (without having this go
> into multiple pages) to convey the idea that I am trying to be
> constructive here. 

No, what you are, Mr. Ptacek, is someone none of us have ever heard of
who is coming in like a bull in a china shop informing us that
although the people who build and maintain things like BIND aren't
very bright, you are out there willing to save us.

Thanks, but no thanks.

Perry