Dailydave mailing list archives
Detecting DNS Events
From: Jose Avila <jose () onzra com>
Date: Mon, 14 Jul 2008 10:56:45 -0700
Cache Poisoning has been around for many years... As Halvar has stated in his blog we have survived much worse, and I believe we will survive this current issue. One thing that has amused me is how well orchestrated this entire event has been; and as such, I commend everyone that has been involved in the process from start to finish. With these releases we have one more Cache Poisoning attack prevented; however, we still don’t really have a method for confirming and verifying that a recursive server has been poisoned. The recursive provider finds out when services start failing, customers start calling in, etc. With help from Dan, and a few others, I started work on a small open source application to monitor and verify the cache of a recursive server. The overall concept was to take periodic dumps of the in- memory cache from the recursive server, validate these dumps against the authoritative name servers, and peer recursive name servers, alerting when something could not be validated. Once we were able to narrow down the false positives from the Content Delivery Networks, there started to be a bit more hope. The tool is currently released under the BSD License and is free for anyone to use, and contribute to. Its currently an early release but, its my hopes that as time progresses, we’ll have a scaleable, stable tool that that recursive providers can use to detect and respond quicker to cache poisoning events. Currently there is not a lot of documentation, but I’m hoping to have something more detailed written up soon. Feel free to contact me with any questions or comments. Tool download: http://www.onzra.com/CacheAudit-Latest.tgz Thanks, Jose -- Jose Avila III www.onzra.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Detecting DNS Events Jose Avila (Jul 14)