Re: DNS exploit

[Gordon Messmer <yinyang () EBURG COM>]

On Tue, 22 Aug 2000, George wrote:

> Ok, now create a domain.com zone. In that zone create an A record for
> www.domain.com and then create a Cname for domain.com and point it to
> www.domain.com.
>
> Let it replicate out to the ISP's servers, then do a bunch of queries for
> domain.com from their servers. Takes a little time but it basically creates
> a really nasty loop. (not sure if it happens with all DNS servers)

What servers _does_ that work with?  Have you tested this, or is this
theoretical?

The "BIND" name server won't be seriously affected by this.  First, if
you attempt to have a hostname that has both an "A" record and a CNAME,
the domain will be rejected outright.  You'll see errors like this:

###
Aug 23 14:26:36 ascension named[18270]:
  news.bs.net has CNAME and other data (invalid)
Aug 23 14:26:36 ascension named[18270]:
  db.bs:15:news.bs.net: CNAME and OTHER data error
Aug 23 14:26:36 ascension named[18270]:
  master zone "bs.net" (IN) rejected due to errors (serial 1)
###

If you create ONLY the CNAME record, then try to look up that name, BIND
will return twelve records before quitting because the name lookup is
looping.  This does not seem to place a serious load on the system, even
with many lookups.

I'd be curious to hear what name servers are vulnerable to attacks like
this (MS name service? Old versions of BIND?), but BIND 8 does not appear
vulnerable to this attack.

MSG