Dailydave mailing list archives
Re: DNS Guess 2 for the day
From: Parity <pty.err () gmail com>
Date: Sun, 13 Jul 2008 23:02:41 +0200
On Sun, Jul 13, 2008 at 3:18 PM, Petja van der Lek <lek () xs4all nl> wrote:
Now, were a name server to retain and reuse the TID received from a client in its corresponding outgoing queries, the possibility of a collision of TIDs from queries received from separate clients would be small but non-negligible on a busy name server. Such a collision could ruin the server's whole day, I presume, and make for a pretty broken design. I know it's BIND we're talking about, but still...
TXID collissions are easy to induce. Remember the old joke that starts, "How do you keep a moron in suspense?" If you're evil.com, just ask a vulnerable name server to resolve 0x0000.evil.com. And 0x0001.evil.com. And 0x0002.evil.com. And so on. And when the resolver comes 'round asking ns1.evil.com for the records it's after, just pretend the question was, "How do you keep a DNS resolver in suspense?" pty
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS Guess 2 for the day Dave Aitel (Jul 12)
- <Possible follow-ups>
- Re: DNS Guess 2 for the day Petja van der Lek (Jul 13)
- Re: DNS Guess 2 for the day Parity (Jul 13)
- Re: DNS Guess 2 for the day Paul Vixie (Jul 13)
- Re: DNS Guess 2 for the day piggly wiggly (Jul 13)
- Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)
- Re: DNS Guess 2 for the day Marc Heuse (Jul 14)
- Re: DNS Guess 2 for the day Lee Brotherston (Jul 14)
- Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)