Dailydave mailing list archives

Re: DNS Guess 2 for the day

From: Parity <pty.err () gmail com>
Date: Sun, 13 Jul 2008 23:02:41 +0200

 On Sun, Jul 13, 2008 at 3:18 PM, Petja van der Lek <lek () xs4all nl> wrote:

Now, were a name server to retain and reuse the TID received from a
client in its corresponding outgoing queries, the possibility of a
collision of TIDs from queries received from separate clients would be
small but non-negligible on a busy name server. Such a collision could
ruin the server's whole day, I presume, and make for a pretty broken
design. I know it's BIND we're talking about, but still...



TXID collissions are easy to induce.

Remember the old joke that starts, "How do you keep a moron in suspense?"

If you're evil.com, just ask a vulnerable name server to resolve
0x0000.evil.com.  And 0x0001.evil.com.  And 0x0002.evil.com.  And so on.
And when the resolver comes 'round asking ns1.evil.com for the records it's
after, just pretend the question was, "How do you keep a DNS resolver in
suspense?"

pty

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

DNS Guess 2 for the day Dave Aitel (Jul 12)
- <Possible follow-ups>
- Re: DNS Guess 2 for the day Petja van der Lek (Jul 13)
  - Re: DNS Guess 2 for the day Parity (Jul 13)
  - Re: DNS Guess 2 for the day Paul Vixie (Jul 13)
- Re: DNS Guess 2 for the day piggly wiggly (Jul 13)
  - Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)
    - Re: DNS Guess 2 for the day Marc Heuse (Jul 14)
  - Re: DNS Guess 2 for the day Lee Brotherston (Jul 14)