From owner-freebsd-security  Sat Mar 13 22:46:17 1999
Delivered-To: freebsd-security@freebsd.org
Received: from alive.znep.com (sense-sea-MegaSub-1-222.oz.net [216.39.144.222])
	by hub.freebsd.org (Postfix) with ESMTP id 7A5EE14FA0
	for <freebsd-security@FreeBSD.ORG>; Sat, 13 Mar 1999 22:46:15 -0800 (PST)
	(envelope-from marcs@znep.com)
Received: from localhost (marcs@localhost)
	by alive.znep.com (8.9.1/8.9.1) with ESMTP id WAA03360;
	Sat, 13 Mar 1999 22:53:36 -0800 (PST)
	(envelope-from marcs@znep.com)
Date: Sat, 13 Mar 1999 22:53:36 -0800 (PST)
From: Marc Slemko <marcs@znep.com>
To: Alan <security@unixpower.org>, Jesse <j@lumiere.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: bind 8.1.2 cache poisoning
In-Reply-To: <Pine.BSF.4.05.9903130520380.7303-100000@leaf.lumiere.net>
Message-ID: <Pine.BSF.4.05.9903132231320.15783-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 13 Mar 1999, Jesse wrote:

[...]

> So I checked around and found in the Jan 99 section of rootshell an
> exploit which claims to insert entries into the caches of bind 8.1.2
> servers (which is what I run and as far as I can tell is the latest
> version). If this is true, as it appears, I'm wondering why there's been
> no discussion of this anywhere (or any fixes). Seems pretty serious if
> anyone can screw with your DNS cache..

Yup, it can be done.  There are three or four programs that I have seen
which do it.

The way an name server can match a response to a request is by looking
at the query id.  This query id is a 16 bit number.  If you can guess
that number, you can often spoof a response.

One way to make it harder to exploit is to have your nameserver send
queries from multiple ports in random order so that it is difficult
to tell which port to spoof to.  This can get a lot more expensive and
take a fair amount more resouces, but is practical in some situations.

The other thing to do is to randomize the query id.  Right now it is 
just ++'ed for each query, making it easy to guess.  Randomizing it
requires more complicated work to have a cheap way to ensure you don't
reuse ids for outstanding queries.  This can't prevent attacks, since
the 16-bit id is just too small a space and too easy to flood, but it
can help.

8.2 will be out soon that will have DNSSEC that will fix these 
issues in the long term.

Paul was talking about 8.1.2++ which would contain randomized query
ids which help a bit, but I don't know that such a thing will
necessarily be released.  In any case, it looks like 8.2 will have
randomized query ids as well.

On Sat, 13 Mar 1999, Alan wrote:

> The main server people are hitting is a.root-servers.net, they use this for
> non-existant domains.  Messing with the root-servers is just wrong.

Hmm?  I'm not sure what you are talking about.  The root name servers do
not run with recursion enabled making this attack not work against them.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message