nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS cache poisoning attacks -- are they real?

From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 29 Mar 2005 13:08:50 +0200

* Simon Waters:


This is _nothing_ to do with what you're running on the recursive
nameserver.  It is doing _exactly_ what it is supposed to do.  Get
answers, store in cache, respond to queries from cache if TTL isn't
expired.


The answers from a recursive servers won't be marked authoritative (AA bit not 
set), and so correct behaviour is to discard (BIND will log a lame server 
message as well by default) these records.


Unfortunately, this is not quite true.  Brad and Chris are right.  I
couldn't believe it either, but after a long stare at BIND's is_lame
function, I have to agree with them.

BIND accepts non-authoritative answers if their additional section
looks a bit like a referral.  I don't tink that this check is
deliberately lax, but stricter checks are simply harder to do on this
particular code path.


If your recursive resolver doesn't discard these records, suggest
you get one that works ;)


Which one would?  Keep in mind that referrals do not have the AA bit
set, so a simple filter wouldn't work.
Previous By Date Next
Previous By Thread Next

Current thread: