Vulnerability Development mailing list archives
Re: DNS exploit
From: Gordon Messmer <yinyang () EBURG COM>
Date: Wed, 23 Aug 2000 14:39:48 -0700
On Tue, 22 Aug 2000, George wrote:
Ok, now create a domain.com zone. In that zone create an A record for www.domain.com and then create a Cname for domain.com and point it to www.domain.com. Let it replicate out to the ISP's servers, then do a bunch of queries for domain.com from their servers. Takes a little time but it basically creates a really nasty loop. (not sure if it happens with all DNS servers)
What servers _does_ that work with? Have you tested this, or is this theoretical? The "BIND" name server won't be seriously affected by this. First, if you attempt to have a hostname that has both an "A" record and a CNAME, the domain will be rejected outright. You'll see errors like this: ### Aug 23 14:26:36 ascension named[18270]: news.bs.net has CNAME and other data (invalid) Aug 23 14:26:36 ascension named[18270]: db.bs:15:news.bs.net: CNAME and OTHER data error Aug 23 14:26:36 ascension named[18270]: master zone "bs.net" (IN) rejected due to errors (serial 1) ### If you create ONLY the CNAME record, then try to look up that name, BIND will return twelve records before quitting because the name lookup is looping. This does not seem to place a serious load on the system, even with many lookups. I'd be curious to hear what name servers are vulnerable to attacks like this (MS name service? Old versions of BIND?), but BIND 8 does not appear vulnerable to this attack. MSG
Current thread:
- DNS exploit George (Aug 22)
- Re: DNS exploit Chris A. Mattingly (Aug 23)
- Re: DNS exploit Gordon Messmer (Aug 23)
- Re: DNS exploit Geo. (Aug 24)
- Re: DNS exploit Ryan Permeh (Aug 24)
- Re: DNS exploit Chris A. Mattingly (Aug 24)
- Re: DNS exploit Geo. (Aug 24)