Detecting DNS Events

[Jose Avila <jose () onzra com>]

Cache Poisoning has been around for many years... As Halvar has stated  
in his blog we have survived much worse, and I believe we will survive  
this current issue.  One thing that has amused me is how well  
orchestrated this entire event has been; and as such, I commend  
everyone that has been involved in the process from start to finish.

With these releases we have one more Cache Poisoning attack prevented;  
however, we still don’t really have a method for confirming and  
verifying that a recursive server has been poisoned.  The recursive  
provider finds out when services start failing, customers start  
calling in, etc.

With help from Dan, and a few others, I started work on a small open  
source application  to monitor and verify the cache of a recursive  
server. The overall concept was to take periodic dumps of the in- 
memory cache from the recursive server, validate these dumps against  
the authoritative name servers, and peer recursive name servers,  
alerting when something could not be validated.  Once we were able to  
narrow down the false positives from the Content Delivery Networks,  
there started to be a bit more hope.

The tool is currently released under the BSD License and is free for  
anyone to use, and contribute to.  Its currently an early release but,  
its my hopes that as time progresses, we’ll have a scaleable, stable  
tool that that recursive providers can use to detect and respond  
quicker to cache poisoning events.

Currently there is not a lot of documentation, but I’m hoping to have  
something more detailed written up soon. Feel free to contact me with  
any questions or comments.

Tool download: http://www.onzra.com/CacheAudit-Latest.tgz

Thanks,

Jose

--
Jose Avila III
www.onzra.com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave