Full Disclosure mailing list archives
Re: [Plugins-writers] recursive DNS issue
From: Paul Johnston <paul () westpoint ltd uk>
Date: Thu, 04 Mar 2004 16:37:39 +0000
Hi, I think there are three potential risks, none of them particularly major. 1) Information leakageIf an attacker issues non-recursive queries against the server, they can see what domains have been looked up, and also infer when from the TTL. In fact even if you disable recursion they may still be able to do this. For BIND I advocate denying all queries at the top of the config file, and then specifically allowing queries for each authorative zone.
2) Unauthorized use of resourcesPeople can hijack you as a free resolver. This is unlikely to be much of a problem in reality. Personally I always know a few open resolvers, so I've got backup nameservers if the local ones are down.
3) Potential cache poisoningThis is more a theoretical risk than anything. All the easy cache poisoning attacks (ID prediction, birthday, etc.) are vulnerabilities in specific versions of software. Better servers like DJB or BIND 9 randomize both the transaction ID and the UDP source port, giving an attacker about 2^26 space to brute force (and no handy shortcuts). This is scarcely easier than brute forcing a TCP connection.
Regards, Paul omifix omnifix wrote:
Hi all can anybody explain me what the problem is when my external DNS server supports recursive DNS queries? People are telling me that a DNS server is prone to cache poisoning when recursive DNS queries are supported.
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- recursive DNS issue omifix omnifix (Mar 02)
- Re: recursive DNS issue Bruno Wolff III (Mar 03)
- Re: [Plugins-writers] recursive DNS issue Paul Johnston (Mar 04)
- Re: [Plugins-writers] recursive DNS issue John Lampe (Mar 04)