Bugtraq mailing list archives

Re: Permitting recursion can allow spammers to steal name server resources

From: Mike Hoskins <mike () adept org>
Date: Wed, 10 Sep 2003 15:00:31 -0700 (PDT)

On Wed, 10 Sep 2003, Dan Harkless wrote:

On September 9, 2003, Chris Brenton <cbrenton () chrisbrenton org> wrote:
[...]

"DNS Cache Poisoning - The Next Generation" by by Joe Stewart, GCIH
http://www.securityfocus.com/guest/17905

[...]

_Fixing the problem with Bind_

<snip>

allow-recursion {172.16.1.1, 10.0.0.0/8, 192.168.1.0/24;};

As has been pointed out before, this still leaves you potentially open to
cache poisoning if the attacker can spoof those addresses (and again, the
attacker will need to be spoofing anyway, if attacking BIND 9).


luckily more providers have began properly filtering at ingress.  granted,
spoofing is still quite possible from a large percentage of IPv4 space.

The safest setup is to run authoritative nameservers on separate machines
(or at least IPs) from caching recursive servers, as discussed, e.g. here:


FWIW, i think this can be derived from Joe's article as well.  also,
anyone configuring BIND should see Rob Thomas' _Secure BIND Template_,

http://www.cymru.com/Documents/secure-bind-template.html

everything discussed here relating to BIND configuration (and more) is
covered there.

i'd also like to point out that the title of this thread is a bit
misleading, or at least not 100% accurate wrt the suggestions being given.
yes, we can arrive at a relatively secure DNS implementation using BIND or
other alternatives...  however, even with a secure implementation, h4x0rz
can 'steal name server resources'; if you have a resolver (recursive or
not) attached to the public Internet, it can be bombarded with queries.
that, like many forms of 'legitimate use', is 'steal[ing] ... resources'
and can't be easily avoided (only mitigated). ;)  it's also one of the
more frequent things i see reported on mailing lists these days...
particularly thanks to M$.

-mrh

--
From: "Spam Catcher" <spam-catcher () adept org>
To: spam-catcher () adept org
Do NOT send email to the address listed above or
you will be added to a blacklist!

Current thread:

Permitting recursion can allow spammers to steal name server resources Chris Brenton (Sep 10)
- Re: Permitting recursion can allow spammers to steal name server resources Mark Johnston (Sep 10)
- Re: Permitting recursion can allow spammers to steal name server resources Greg A. Woods (Sep 10)
- Re: Permitting recursion can allow spammers to steal name server resources Dan Harkless (Sep 10)
  - Re: Permitting recursion can allow spammers to steal name server resources Mike Hoskins (Sep 10)
- Re: Permitting recursion can allow spammers to steal name server resources Devin Nate (Sep 15)