Re: how to protect name servers against cache corruption

["Perry E. Metzger" <perry () piermont com>]

"Thomas H. Ptacek" writes:
> > No, it *is* immune to all variants on *THAT* attack. It isn't immune
> > to other sorts of attacks.
>
> I think you are speaking in fairly blatant factual error here, or we are
> in micommunication with respect to the meaning of the word "variant".

No, my facts here are more or less accurate. Eugene's attack was very
crude. He just put some bogus NS records into his alternic.net zone so
that queries for www.alternic.net would pick up those bogus servers
and their associated A records. His "sophisticated hack" consisted of
typing "dig @victim -t a www.alternic.net", or something like it. I
did tcpdumps of his "attack" in progress when he hit my machines so I
have logs of what he did, not that they are very interesting.

An attack like this, done just by putting bogus data into your DNS
boot files in a similar manner, isn't going to work against the latest
versions of BIND -- indeed, none of the reasonable "variants" on the
attack would work, either.

There *are* attacks that will work against the BIND 8.1.1, but they
require that you actually learn how to program in C and do something
active, and they won't do for you what one of Eugene's hacks did. I'm
sure our friends at 2600 will be publishing them any day, but really,
there isn't much to be done about them other than implementing DNSSEC.

Perry