Bugtraq mailing list archives
Re: BIND bugs of the month
From: djb () CR YP TO (D. J. Bernstein)
Date: Sat, 13 Nov 1999 01:14:24 -0000
A sniffing attacker can easily forge responses to your DNS requests. He can steal your outgoing mail, for example, and intercept your ``secure'' web transactions. This is obviously a problem. We know how to solve this problem with cryptographic techniques. DNSSEC has InterNIC digitally sign all DNS records, usually through a chain of intermediate authorities. Attackers can't forge the signatures. Of course, this system still allows InterNIC to steal your outgoing mail, and intercept your ``secure'' web transactions. We know how to solve this problem too. The solution is simpler and faster than DNSSEC, though it only works for long domain names: use cryptographic signature key hashes as domain names. But all this cryptographic work accomplishes _nothing_ if the servers are subject to buffer overflows! An attacker doesn't have to bother guessing or sniffing query times and IDs, and forging DNS responses, if he can simply take over the DNS server. This NXT buffer overflow isn't part of some old code that Paul Vixie inherited from careless graduate students. It's new code. It's part of BIND's DNSSEC implementation. I don't find the irony amusing. Obviously ISC's auditing is inadequate. Does anyone seriously believe that the current BIND code is secure? If it isn't, adding DNSSEC to it doesn't help anybody. Is ISC going to rewrite the client and server in a way that gives us confidence in their security? David R. Conrad writes:
In addition, we recommend running your nameserver as non-root and chrooted (I know setting this up is non-trivial -- it'll be much, much easier in BINDv9).
``I wouldn't consider installing named any other way,'' I told Vixie in September 1996. He didn't respond. Of course, DNSSEC is equally useless either way; the only question is whether an attacker can also take over the rest of the machine. ---Dan
Current thread:
- Re: BIND bugs of the month D. J. Bernstein (Nov 12)
- Re: BIND bugs of the month (spoofing secure Web sites?) Peter W (Nov 13)
- Re: BIND bugs of the month (spoofing secure Web sites?) Kurt Seifried (Nov 14)
- Re: BIND bugs of the month (spoofing secure Web sites?) D. J. Bernstein (Nov 13)
- Re: BIND bugs of the month (spoofing secure Web sites?) D. J. Bernstein (Nov 14)
- Re: BIND bugs of the month (spoofing secure Web sites?) Elias Levy (Nov 15)
- Re: BIND bugs of the month (spoofing secure Web sites?) D. J. Bernstein (Nov 14)
- Re: BIND bugs of the month David R. Conrad (Nov 14)
- MacOS 9 and the MacOS Netware Client Matt White (Nov 14)
- Re: MacOS 9 and the MacOS Netware Client deepquest () NETSCAPE NET (Nov 15)
- Re: MacOS 9 and the MacOS Netware Client sherrera () BASS CUESTA CC CA US (Nov 15)
- Re: MacOS 9 and the MacOS Netware Client deepquest () NETSCAPE NET (Nov 15)
- Re: BIND bugs of the month (spoofing secure Web sites?) Peter W (Nov 13)