Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing

["Bojan Zdrnja" <bojan.zdrnja () gmail com>]

Hi Roger,

On 4/18/07, Roger A. Grimes <roger () banneretcs com> wrote:
> How does BIND stop this sort of attack?
>
> Can a BIND expert respond?

I'm not a BIND expert but I can (hopefully) tell you what's happening.
Basically, Windows 2000 <SP3 automatically accepts all authority RRs
(authoritative name servers) that are received in a DNS reply.

So, if you have a DNS server running on Windows 2000 SP3 which is
available from the Internet, and which supports recursive requests,
all an attacker has to do is to issue a DNS request to your server,
for a domain (and a DNS server) that he controls.
Attacker's DNS server can add several authority RRs (they define
authoritative nameservers) for TLDs, such as .com or .net and will
effectively pollute your DNS cache.

This can be fixed by applying SP4 or changing a registry item.
However, it was later found that Windows 2000 DNS servers were still
vulnerable if they were configured to forward DNS requests to another
DNS server.
So, the typical setup in most organization is:

Windows DNS -> forwarding to BIND

If you have BIND < v9, it will retrieve the reply but will not strip
out authority RRs. BIND will send this back to the Windows DNS server
which will happily cache everything, trusting BIND.

In BIND v9 this was fixed because it will delete this (extra) data
before sending the reply back to the Windows DNS server (that's why
it's very important to upgrade your DNS servers to BIND v9).

I'm not sure what's the story with other DNS servers (djbdns, for example).

Cheers,

Bojan