Re: PowerDNS Security Advisory 2014-02

[Hanno Böck <hanno () hboeck de>]

On Tue, 9 Dec 2014 08:16:20 +0100
Peter van Dijk <peter.van.dijk () netherlabs nl> wrote:

> Somebody asked me to (help him) check djbdns today, which we’ll do.
> Any other implementations you are interested in? I have a lab setup
> for this issue so I’m happy to check.

I think dnsmasq would be interesting. Don't know which servers from the
proprietary world may be worth investigating.

> > And is this only a DoS for the attacked server or would it also
> > allow some completely new kind of DNS reflection attack (i.e.
> > generating a loop where every loop iteration generates an UDP
> > packet send to a victim)?
>
> I’m convinced the loop could involve unwilling victims (unless they
> send responses that break the loop!), but I have not tried this in
> practice.

However that would be very interesting to know. DNS reflection attacks
are a big thing, if they could be amplified with a loop on the resolver
that'd almost certainly boost this issue to a whole new level.


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature