Bugtraq mailing list archives
RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Tue, 17 Apr 2007 18:44:38 -0400
I appreciate you replying, but I understand the Windows DNS attack well. I'm just wondering how and if BIND protects against the same attack, and if yes, how? Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: Tim [mailto:tim-security () sentinelchicken org] Sent: Tuesday, April 17, 2007 5:27 PM To: Roger A. Grimes Cc: bugtraq () securityfocus com Subject: Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger, This is what I know about it, since no one else seems to be giving you more info...
As described above, Windows DNS is vulnerable to the cache poisoning attack through the forwarder DNS server. This seems because Windows DNS blindly trusts replies from forwarder DNS and caches every resource records regardless of their domain.
The original vulnerability was the issue that Windows DNS server accepts
records from unauthoritative sources. This was partially fixed with
some registry setting (insanely off by default), but it turned out if
Windows was using an upstream resolver (i.e. not going directly to the
roots), then it was still vulnerable. This is the vulnerability which
is specific to Windows DNS (though Symantec's also had it, I think).
For instance, if a Windows DNS cache asks for example.org, and receives
records for example.org and org (TLD), then it will blindly believe it,
under certain conditions. BIND does not do this, AFAIK, and neither
does any correctly implemented DNS cache.
The attack described just now, is that this vulnerability combined with
the traditional "birthday" attack scenario allows another form of
attack. The birthday attacks in general are still possible on any DNS
server which doesn't randomize source ports, but may be more difficult
to conduct than this new attack. (I'm not sure, I haven't run the
numbers.)
Hope this clears it up. If you're interested in running a more secure
DNS cache, try djbdns' dnscache.
tim
PS- Please correct me if I messed up any of the details on the Windows
DNS vulnerability. This is all straight from memory... didn't
double-check my sources.
Current thread:
- Windows DNS Cache Poisoning by Forwarder DNS Spoofing Makoto Shiotsuki (Apr 16)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 17)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 17)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Makoto Shiotsuki (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 18)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 17)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 17)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Makoto Shiotsuki (Apr 17)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 17)
- Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing 3APA3A (Apr 17)
- RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 18)
- RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Oliver Friedrichs (Apr 19)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Bojan Zdrnja (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Matthew Dixon Cowles (Apr 18)