Dailydave mailing list archives

Re: DNS Speculation

From: natron <shiftnato () gmail com>
Date: Mon, 21 Jul 2008 19:39:09 -0500

What happens when the glue record isn't out-of-zone?  If your RR
request is ulamYYYYY.domain.com, the DNS server would accept a
response for ns1.domain.com.

N

On Mon, Jul 21, 2008 at 2:50 PM, Petja van der Lek <lek () xs4all nl> wrote:

It looks like you're channelling Dan Bernstein, 8 years after the fact.
See: <http://cr.yp.to/djbdns/notes.html>. What your diabolical scheme
boils down to is the inappropriate caching of out-of-zone glue records.
As far as I know, djbdns never cached out-of-zone glue records, and BIND
stopped doing that with version 9. Um, it did, right? (pokes the *real*
experts for support)

Cheers,
Lek.

Halvar Flake wrote:
[BIG SNIP]

Mallory wants to poison DNS lookups on server ns.polya.com for the
domain www.gmx.net. The nameserver
for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244.

Mallory begins to send bogus requests for www.ulam00001.com,
www.ulam00002.com ... to ns.polya.com.
ns.polya.com doesn't have these requests cached, so it asks a root
server "where can I find the .com NS?"
It then receives a referral to the .com NS. It asks the nameserver for
.com where to find the nameserver
for ulam00001.com, ulam00002.com etc.

Mallory spoofs referrals claiming to come from the .com nameserver to
ns.polya.com. In these referrals, it
says that the nameserver responsible for ulamYYYYY.com is a server
called ns.gmx.net and that
this server is located at 244.244.244.244. Also, the time to live of
this referral is ... long ...

Now eventually, Mallory will get one such referral spoofed right, e.g.
the TXID etc. will be guessed properly.
ns.polya.com will then cache that ns.gmx.net can be found at ...
244.244.244.244. Yay.

The above is almost certainly wrong. Can someone with more insight into
DNS tell me why it won't work ?

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

DNS Speculation Halvar Flake (Jul 21)
- Re: DNS Speculation Jon Oberheide (Jul 21)
- Re: DNS Speculation Petja van der Lek (Jul 21)
  - Re: DNS Speculation natron (Jul 22)
  - Re: DNS Speculation Parity (Jul 22)
    - Re: DNS Speculation Tetrapodal Giant (Jul 22)
    - Re: DNS Speculation Blue Boar (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
  - Re: DNS Speculation natron (Jul 22)
  - Re: DNS Speculation Dominique Brezinski (Jul 22)
    - Message not available
    - Re: DNS Speculation Dominique Brezinski (Jul 22)
    - Re: DNS Speculation Petja van der Lek (Jul 22)
    - Re: DNS Speculation Tyler Krpata (Jul 23)
  - Message not available
    - Re: DNS Speculation Alexander Sotirov (Jul 22)

(Thread continues...)