Bugtraq mailing list archives
Re: The out-of-domain NS registration attack
From: cmadams () HIWAAY NET (Chris Adams)
Date: Mon, 20 Mar 2000 10:10:59 -0600
Once upon a time, Sanford Whiteman <sanford.whiteman () INTERNAL CONVEY COM> said:
Dave, you are certainly correct. We just performed a giant name server migration and can verify that NSI's database has dual primary keys, or what-have-you, that prevent the attack. A name server's IP address can only be associated with one NIC handle...once you bind a hostname to the IP, the hostname is bound to the NIC handle as well. The only way to change this information is to be the contact for the name server's domain. No one else can duplicate either of the keys.
What you are missing is this: if a domain has name servers that do NOT exist in the root server list, they can be changed. The original example of hotmail.com was a good one. hotmail.com. 12m40s IN NS ns3.hotmail.com. hotmail.com. 12m40s IN NS ns1.jsnet.com. hotmail.com. 12m40s IN NS ns1.hotmail.com. ns1.jsnet.com is not a registered name server, so you could try to register an IP address for it other than its real address. Now, if NetSol (and all of the registrars) restrict registration of a name server to the technical/zone contacts for the domain (jsnet.com in the above case), you _should_ still be okay. -- Chris Adams <cmadams () hiwaay net> Systems and Network Administrator - HiWAAY Information Services I don't speak for anybody but myself - that's enough trouble.
Current thread:
- The out-of-domain NS registration attack D. J. Bernstein (Mar 13)
- Re: The out-of-domain NS registration attack David Terrell (Mar 14)
- Re: The out-of-domain NS registration attack David, Gover (Mar 15)
- Re: The out-of-domain NS registration attack D. J. Bernstein (Mar 20)
- Last call for paper - Raid 2000 - Deadline is March 31st Herve Debar (Mar 21)
- <Possible follow-ups>
- Re: The out-of-domain NS registration attack Sanford Whiteman (Mar 17)
- Re: The out-of-domain NS registration attack Chris Adams (Mar 20)