Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Re: weakness in the DNS protocol

From: David Farber <dave () farber net>
Date: Wed, 9 Jul 2008 10:05:49 -0700

________________________________________
From: Steven M. Bellovin [smb () cs columbia edu]
Sent: Wednesday, July 09, 2008 11:43 AM
To: David Farber
Cc: ip
Subject: Re: [IP] weakness in the DNS protocol

On Wed, 9 Jul 2008 09:05:44 -0400
David Farber <dave () farber net> wrote:



http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php

A weakness in the DNS protocol may enable the poisoning of caching
recursive resolvers with spoofed data. DNSSEC is the only full
solution. New versions of BIND provide increased resilience to the
attack.


It's worth noting that Paul Vixie published the basic idea behind this
attack in 1995 at Usenix Security
(http://www.usenix.org/publications/library/proceedings/security95/vixie.html)
-- in a section titled "What We Cannot Fix", he wrote:

        With only 16 bits worth of query ID and 16 bits worth of UDP
        port number, it's hard not to be predictable.  A determined
        attacker can try all the numbers in a very short time and can
        use patterns derived from examination of the freely available
        BIND code. Even if we had a white noise generator to help
        randomize our numbers, it's just too easy to try them all.

As ISC notes, DNSSEC is really the path we need to follow.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: