Date: Sat, 13 Mar 1999 22:53:36 -0800 (PST) From: Marc Slemko <marcs@znep.com> To: Alan <security@unixpower.org>, Jesse <j@lumiere.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: bind 8.1.2 cache poisoning Message-ID: <Pine.BSF.4.05.9903132231320.15783-100000@alive.znep.com> In-Reply-To: <Pine.BSF.4.05.9903130520380.7303-100000@leaf.lumiere.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 13 Mar 1999, Jesse wrote: [...] > So I checked around and found in the Jan 99 section of rootshell an > exploit which claims to insert entries into the caches of bind 8.1.2 > servers (which is what I run and as far as I can tell is the latest > version). If this is true, as it appears, I'm wondering why there's been > no discussion of this anywhere (or any fixes). Seems pretty serious if > anyone can screw with your DNS cache.. Yup, it can be done. There are three or four programs that I have seen which do it. The way an name server can match a response to a request is by looking at the query id. This query id is a 16 bit number. If you can guess that number, you can often spoof a response. One way to make it harder to exploit is to have your nameserver send queries from multiple ports in random order so that it is difficult to tell which port to spoof to. This can get a lot more expensive and take a fair amount more resouces, but is practical in some situations. The other thing to do is to randomize the query id. Right now it is just ++'ed for each query, making it easy to guess. Randomizing it requires more complicated work to have a cheap way to ensure you don't reuse ids for outstanding queries. This can't prevent attacks, since the 16-bit id is just too small a space and too easy to flood, but it can help. 8.2 will be out soon that will have DNSSEC that will fix these issues in the long term. Paul was talking about 8.1.2++ which would contain randomized query ids which help a bit, but I don't know that such a thing will necessarily be released. In any case, it looks like 8.2 will have randomized query ids as well. On Sat, 13 Mar 1999, Alan wrote: > The main server people are hitting is a.root-servers.net, they use this for > non-existant domains. Messing with the root-servers is just wrong. Hmm? I'm not sure what you are talking about. The root name servers do not run with recursion enabled making this attack not work against them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9903132231320.15783-100000>