Re: DNS cache poisoning attacks -- are they real?

[Florian Weimer <fw () deneb enyo de>]

* Brad Knowles:

>       It only takes a little while to figure out that domains can be 
> fake-hosted using open caching recursive resolvers.  Someone creates 
> a domain with very small TTLs for the real authoritative servers. 
> Within the zone, they do lame delegations to a lot of known public 
> caching recursive servers, with much longer TTLs.
>
>       The lame delegators do what they think is their duty to serve the 
> data they are requested for, and they are the ones who effectively 
> serve that data to the world.  In fact, the real IP addresses of the 
> authoritative servers could be changed every five minutes, with the 
> new policies and procedures in place from NetSol.

I doubt this will work on a large scale.  At least recent BIND
resolvers would discard replies from the abused caching resolvers
because they lack the AA bit, so only clients using the resolvers as
actual resolvers are affected.

You can more easily seed open resolvers, sure, but with a reasonably
sized botnet, you can do the same thing with closed ones.