nanog mailing list archives

Re: DNS cache poisoning attacks -- are they real?

From: John Payne <john () sackheads org>
Date: Mon, 28 Mar 2005 01:04:22 -0500



On Mar 27, 2005, at 1:25 PM, Christopher L. Morrow wrote:

Larger providers have the problem that you can't easily filter
'customers' from 'non-customers' in a sane and scalable fashion.


Hrm?  Larger providers tend to have old swamp space lying around :)

Throw the resolvers on a netblock that's not routed out to your borderrouters (transit, peering), only the customer facing ones... with asecondary address that is routed. Secondary address doesn't listen forqueries, only answers.

And to Randy's point about problems with open recursive nameservers...abusers have been known to cache "hijack". Register a domain,configure an authority with very large TTLs, seed it onto known openrecursive nameservers, update domain record to point to the openrecursive servers rather than their own. Wammo, "bullet proof" dnshosting.

(Yeah, it'd be nice if people didn't listen to non-AA answers to theirqueries, but they do).

Current thread:

Re: DNS cache poisoning attacks -- are they real?, (continued)
- - - Re: DNS cache poisoning attacks -- are they real? Sean Donelan (Mar 26)
    - Re: DNS cache poisoning attacks -- are they real? Joe Abley (Mar 26)
    - Re: DNS cache poisoning attacks -- are they real? Niels Bakker (Mar 27)
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
    - Re: DNS cache poisoning attacks -- are they real? Edward Lewis (Mar 28)
    - Re: DNS cache poisoning attacks -- are they real? Christopher L. Morrow (Mar 26)
  - Re: DNS cache poisoning attacks -- are they real? Suresh Ramasubramanian (Mar 27)
    - Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 27)
    - Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 27)
    - Re: DNS cache poisoning attacks -- are they real? Christopher L. Morrow (Mar 27)
    - Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 28)
    - Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 28)
    - Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 28)
    - Re: DNS cache poisoning attacks -- are they real? Simon Waters (Mar 29)
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
    - Message not available
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 30)
    - Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 29)
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
    - Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 30)
    - Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 28)
    - Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)

(Thread continues...)