Bugtraq mailing list archives
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
From: "Bojan Zdrnja" <bojan.zdrnja () gmail com>
Date: Thu, 19 Apr 2007 01:25:01 +1200
Hi Roger, On 4/18/07, Roger A. Grimes <roger () banneretcs com> wrote:
How does BIND stop this sort of attack? Can a BIND expert respond?
I'm not a BIND expert but I can (hopefully) tell you what's happening. Basically, Windows 2000 <SP3 automatically accepts all authority RRs (authoritative name servers) that are received in a DNS reply. So, if you have a DNS server running on Windows 2000 SP3 which is available from the Internet, and which supports recursive requests, all an attacker has to do is to issue a DNS request to your server, for a domain (and a DNS server) that he controls. Attacker's DNS server can add several authority RRs (they define authoritative nameservers) for TLDs, such as .com or .net and will effectively pollute your DNS cache. This can be fixed by applying SP4 or changing a registry item. However, it was later found that Windows 2000 DNS servers were still vulnerable if they were configured to forward DNS requests to another DNS server. So, the typical setup in most organization is: Windows DNS -> forwarding to BIND If you have BIND < v9, it will retrieve the reply but will not strip out authority RRs. BIND will send this back to the Windows DNS server which will happily cache everything, trusting BIND. In BIND v9 this was fixed because it will delete this (extra) data before sending the reply back to the Windows DNS server (that's why it's very important to upgrade your DNS servers to BIND v9). I'm not sure what's the story with other DNS servers (djbdns, for example). Cheers, Bojan
Current thread:
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing, (continued)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 17)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Makoto Shiotsuki (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 18)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 17)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Makoto Shiotsuki (Apr 17)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 17)
- Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing 3APA3A (Apr 17)
- RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 18)
- RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Oliver Friedrichs (Apr 19)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Bojan Zdrnja (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Matthew Dixon Cowles (Apr 18)