Bugtraq mailing list archives
Re: DNS abuse
From: ddandar () LCARS DYNDNS COM (David M. Dandar)
Date: Sat, 14 Jun 1997 16:36:28 -0400
-----BEGIN PGP SIGNED MESSAGE----- That url, http://apostols.org/toolz/dnshack.cgi, works even with the supposed release version of bind 8.1 (05-06-97). The culprit is a query for DNS.test.15169.spoof.apostols.org, which returns that address as being a CNAME for Ohhh.shit.My.DNS.server.is.vulnerable, and tacks a whole bunch of other info into the response. All of it ends up in everyone's cache. This is the same type of attack outlined by Johannes Erdfelt back in April. It's nothing difficult or fancy. In about 2 minutes, I had my local name server returning bogus information in the same genre of the test page above. All I had to do was tell my server it was authoritative for the domain I was spoofing. Excuse me if I am completely wrong on this, but couldn't we just ignore any RR's for stuff we didn't directly ask for? Just let our local server initiate another query for Ohhh.shit.My.DNS.server.is.vulnerable.? The remote server is not authoritative for that domain, and would never get a chance to answer. Granted that this would increase latency and bandwidth, but it would avoid the problem. I certainly wouldn't mind it if everyone had servers that injected www.enemy.org for www.microsoft.com, but microsoft might. :) David Dandar - -- /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | David M. Dandar ddandar () lcars dyndns com | +-------------------------------------------------------------------+ | PGP public key available via finger from above address. | | ddandar () erols com ddandar () technet tjhsst edu dmdc00z () mail odu edu | \_________________________________________________________________/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM6MAyg37tpZWSzDdAQG32gP/XPpQ1PNOLFhsLGirmR4Bcpdv+a16wci0 2BmI9PKF8rysAv1BgDRALvDv4Y2EApuPv7bX/fpdIs6KNrtk9U36MfeCsDK2iOY0 KjG2CuvbRj2Lp/1AIYV8I3F4nIbpjj33+9S9ZHQzcPlCcCHsdB9MpW+ShSuC7Bf+ weVCyjJpYlo= =rHVh -----END PGP SIGNATURE-----
Current thread:
- Re: DNS abuse David M. Dandar (Jun 14)