Bugtraq mailing list archives
Re: CAIS-ALERT: Vulnerability in the sending requests control of BIND
From: "D. J. Bernstein" <djb () cr yp to>
Date: 27 Nov 2002 22:20:05 -0000
Vagner Sacramento writes:
BIND versions 4 and 8 use procedures that allow a remote DNS Spoofing attack against DNS servers.
Nonsense. All DNS caches will accept forged packets. See http://cr.yp.to/djbdns/forgery.html for an analysis of the cost of a forgery. Yes, the cost of a blind forgery depends quite noticeably on the software---it's larger for dnscache (djbdns) than for BIND 9 thanks to BIND's port reuse, and larger for BIND 9 than for older versions of BIND thanks to this ``vulnerability,'' which has been known for years---but thinking that software can protect you from forged DNS packets with the current DNS protocol is like thinking that shorts and a T-shirt will protect you from the winter wind in Chicago. Furthermore, the recommendation to limit recursion, while certainly a good idea, doesn't make a big difference in the cost unless you also clamp down on all the programs that act as DNS-query-tunneling tools: SMTP servers, web browsers, etc. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
Current thread:
- CAIS-ALERT: Vulnerability in the sending requests control of BIND Vagner Sacramento (Nov 26)
- Re: CAIS-ALERT: Vulnerability in the sending requests control of BIND D. J. Bernstein (Nov 27)
- <Possible follow-ups>
- RE: CAIS-ALERT: Vulnerability in the sending requests control of BIND Iván Arce (Nov 27)
- RE: CAIS-ALERT: Vulnerability in the sending requests control of BIND Vagner Sacramento (Nov 29)
- RE: CAIS-ALERT: Vulnerability in the sending requests control of BIND Iván Arce (Nov 28)
- RE: CAIS-ALERT: Vulnerability in the sending requests control of BIND Vagner Sacramento (Nov 29)