Dailydave mailing list archives
Re: DNS Speculation
From: "Dominique Brezinski" <dominique.brezinski () gmail com>
Date: Tue, 22 Jul 2008 10:17:35 -0700
On Tue, Jul 22, 2008 at 9:55 AM, Alexander Sotirov <alex () sotirov net> wrote:
Alright, so then my question is why would the resolver accept the additional RR record for ns.google.com? It didn't ask for ns.google.com, it should just ignore the extra RR. The only server who should be allowed to send A records for ns.google.com should be the .com nameserver.
Because ns.google.com is authoritative for google.com, not the .com root server. The root server just tells you where to find ns.google.com based on the published NS records. So ns.google.com includes additional RRs in responses, so the client can populate its cache with the current name servers for google.com and their IP addresses. That is how DNS works. And that behavior allows the authoritative server to deliver the names and addresses of the current primary and secondary authoritative name servers in an efficient manner. The problem is the ability to spoof the response from the authoritative server (cause TXID collision). Once you do that, you speak for the domain. DNS is already a very chatty protocol, so limiting the authoritative server to just being able to deliver the A or CNAME record that was queried and the names of the authoritative name servers would greatly increase the traffic volume. Yes it would complicate the attack, but it would not entirely stop it. And changing this behavior would effectively cause a DDoS against many of the name servers out there. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS Speculation Halvar Flake (Jul 21)
- Re: DNS Speculation Jon Oberheide (Jul 21)
- Re: DNS Speculation Petja van der Lek (Jul 21)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Parity (Jul 22)
- Re: DNS Speculation Tetrapodal Giant (Jul 22)
- Re: DNS Speculation Blue Boar (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Dominique Brezinski (Jul 22)
- Message not available
- Re: DNS Speculation Dominique Brezinski (Jul 22)
- Re: DNS Speculation Petja van der Lek (Jul 22)
- Re: DNS Speculation Tyler Krpata (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation ninjaboy (Jul 23)
- Re: DNS Speculation Cedric Blancher (Jul 24)
- Re: DNS Speculation marc_bevand (Jul 25)
- Re: DNS Speculation Bryan Burns (Jul 25)
- Message not available
- Re: DNS Speculation marc_bevand (Jul 28)