Interesting People mailing list archives
Re: weakness in the DNS protocol
From: David Farber <dave () farber net>
Date: Wed, 9 Jul 2008 10:05:49 -0700
________________________________________ From: Steven M. Bellovin [smb () cs columbia edu] Sent: Wednesday, July 09, 2008 11:43 AM To: David Farber Cc: ip Subject: Re: [IP] weakness in the DNS protocol On Wed, 9 Jul 2008 09:05:44 -0400 David Farber <dave () farber net> wrote:
http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php A weakness in the DNS protocol may enable the poisoning of caching recursive resolvers with spoofed data. DNSSEC is the only full solution. New versions of BIND provide increased resilience to the attack.
It's worth noting that Paul Vixie published the basic idea behind this attack in 1995 at Usenix Security (http://www.usenix.org/publications/library/proceedings/security95/vixie.html) -- in a section titled "What We Cannot Fix", he wrote: With only 16 bits worth of query ID and 16 bits worth of UDP port number, it's hard not to be predictable. A determined attacker can try all the numbers in a very short time and can use patterns derived from examination of the freely available BIND code. Even if we had a white noise generator to help randomize our numbers, it's just too easy to try them all. As ISC notes, DNSSEC is really the path we need to follow. --Steve Bellovin, http://www.cs.columbia.edu/~smb ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- weakness in the DNS protocol David Farber (Jul 09)
- <Possible follow-ups>
- Re: weakness in the DNS protocol David Farber (Jul 09)
- Re: weakness in the DNS protocol David Farber (Jul 09)
- Re: weakness in the DNS protocol David Farber (Jul 10)
- Re: weakness in the DNS protocol David Farber (Jul 10)