Re: DNS Speculation

["Dominique Brezinski" <dominique.brezinski () gmail com>]

On Tue, Jul 22, 2008 at 9:55 AM, Alexander Sotirov <alex () sotirov net> wrote:
> Alright, so then my question is why would the resolver accept the additional RR
> record for ns.google.com? It didn't ask for ns.google.com, it should just ignore
> the extra RR. The only server who should be allowed to send A records for
> ns.google.com should be the .com nameserver.

Because ns.google.com is authoritative for google.com, not the .com
root server. The root server just tells you where to find
ns.google.com based on the published NS records. So ns.google.com
includes additional RRs in responses, so the client can populate its
cache with the current name servers for google.com and their IP
addresses. That is how DNS works. And that behavior allows the
authoritative server to deliver the names and addresses of the current
primary and secondary authoritative name servers in an efficient
manner.

The problem is the ability to spoof the response from the
authoritative server (cause TXID collision). Once you do that, you
speak for the domain. DNS is already a very chatty protocol, so
limiting the authoritative server to just being able to deliver the A
or CNAME record that was queried and the names of the authoritative
name servers would greatly increase the traffic volume. Yes it would
complicate the attack, but it would not entirely stop it. And changing
this behavior would effectively cause a DDoS against many of the name
servers out there.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave