nanog mailing list archives
Re: how to protect name servers against cache corruption
From: "Perry E. Metzger" <perry () piermont com>
Date: Wed, 30 Jul 1997 10:03:21 -0400
tqbf () smtp enteract com writes:
In article <19970730001246.22933 () netmonger net>, you wrote:_details_. Paul has written papers on DNS security, along with BIND itself, and I'm inclined to believe him when he says there are no more trivial fixes. If you know of one, why don't you share it? I'm notFair enough. Here's a simple piece of input. If BIND 8.1.1 receives a DNS query response with an invalid query ID, it logs it and drops the packet. However, the invalid query ID is evidence of an attack in progress. Why doesn't BIND parse the packet, find out what question is being answered, and immediately re-issue the query with a different ID?
Oh, beautiful. I'd love a tool like that -- it would give me a way of forcing copies of BIND that had been rigged not to accept arbitrary outside queries to make queries of my choice. Were I a systems cracker, I would love such a tool. I can think of some other mean hacks I could do with that facility, too. The problem is not a lack of "clever hacks". The problem is a lack of security in the DNS protocols without DNSSEC.
In other words, it's possible for BIND to detect that it is under attack (in a response-forged query-ID guessing situation). BIND doesn't do anything about this. Why?
Because the idea isn't very intelligent? Because not everyone on earth is an idiot and stuff like this has been considered before by other people and rejected because it wasn't a brilliant idea?
Just the simplest suggestion I can come up with (without having this go into multiple pages) to convey the idea that I am trying to be constructive here.
No, what you are, Mr. Ptacek, is someone none of us have ever heard of who is coming in like a bull in a china shop informing us that although the people who build and maintain things like BIND aren't very bright, you are out there willing to save us. Thanks, but no thanks. Perry
Current thread:
- Re: how to protect name servers against cache corruption, (continued)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Christopher Masto (Jul 29)
- Re: how to protect name servers against cache corruption tqbf (Jul 29)
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 30)
- Re: how to protect name servers against cache corruption tqbf (Jul 30)
- Re: how to protect name servers against cache corruption Deepak Jain (Jul 30)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 30)
- Message not available
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- off-topic (Re: how to protect name servers against cache corruption ) Paul A Vixie (Jul 29)
- Re: off-topic (Re: how to protect name servers against cache corruption ) Larry Vaden (Jul 29)
- Re: off-topic (Re: how to protect name servers against cache corruption ) Ben Black (Jul 30)