nanog mailing list archives
Re: DNS cache poisoning attacks -- are they real?
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 28 Mar 2005 00:09:30 +0200
* Brad Knowles:
It only takes a little while to figure out that domains can be fake-hosted using open caching recursive resolvers. Someone creates a domain with very small TTLs for the real authoritative servers. Within the zone, they do lame delegations to a lot of known public caching recursive servers, with much longer TTLs. The lame delegators do what they think is their duty to serve the data they are requested for, and they are the ones who effectively serve that data to the world. In fact, the real IP addresses of the authoritative servers could be changed every five minutes, with the new policies and procedures in place from NetSol.
I doubt this will work on a large scale. At least recent BIND resolvers would discard replies from the abused caching resolvers because they lack the AA bit, so only clients using the resolvers as actual resolvers are affected. You can more easily seed open resolvers, sure, but with a reasonably sized botnet, you can do the same thing with closed ones.
Current thread:
- Re: DNS cache poisoning attacks -- are they real?, (continued)
- Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 28)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Sam Hayes Merritt, III (Mar 29)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? bmanning (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 27)
- Blocking port 53 Sean Donelan (Mar 27)
- Re: Blocking port 53 Randy Bush (Mar 27)
- Re: Blocking port 53 John Levine (Mar 27)
- how about the basics? [was: Re: Blocking port 53] Gadi Evron (Mar 28)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Suresh Ramasubramanian (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Suresh Ramasubramanian (Mar 28)