Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing

From: Tim <tim-security () sentinelchicken org>
Date: Wed, 18 Apr 2007 07:41:18 -0400
Hello Makoto,


Thank you for the clarification, Tim.
That is exactly what I wanted to say. :)

By the way, as regards recent Bind 9, birthday attack is much more
difficult to conduct because even if the attacker sends multiple
simultaneous recursive queries, Bind 9 aggregates these queries.


Aggregating queries would definitely help if you assume the attacker can
make recursive queries.  

However, it was my understanding (which could be completely wrong) that
BIND 9 reuses sockets for multiple queries, unlike previous versions,
and this makes spoofed attacks easier in another respect.  (Of course
this all has nothing to do with the Windows-specific flaw.)



In addition, there is a patch written by Jinmei-san for Bind 9.4.0
(current release) to randomize source ports.

  http://www.jinmei.org/bind-9.4.0-portpool.patch
  http://member.wide.ad.jp/tr/wide-tr-dns-bind9-portpool-01.txt
  (technical report from WIDE project in Japanese)


That's good, that at least someone is trying to do this in BIND.

thanks for the info,
tim
Previous By Date Next
Previous By Thread Next

Current thread: