nanog mailing list archives
Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations
From: "Peter & Karin Dambier" <peter () peter-dambier de>
Date: Mon, 18 Apr 2005 22:08:01 +0200 (MEST)
Is it possible to "prevent" poisoning attacks? Is it beneficial, or even possible, to prevent TTL's from being an excessively high value? -- Jason 'XenoPhage' Frisvold XenoPhage0 () gmail com
Preventing poisoning attacks: I guess most attacks are against windows workstations. 1) Hide them behind a NAT-router. If they cannot see them, they cannot attack them. 2) Have your own DSN-server, root-server, authoritative server, cache. You can have your own root-server: b.root-servers.net and c.root-servers.net as well as f.root-servers.net allow cloning. Just run your Bind 9 as a slave for "." . An authoritative server cannot be poisoned. Only resolvers can. When you have sensitive addresses put them into your /etc/hosts or clone their zone. Again Bind 9 allows it. Do their servers? Get the zone file via ftp or email. Authoritative servers cannot be poisoned. Have your own cache behind the NAT-router. If they cannot see you they cannot poison you. There is one exception from the rule: You browse "www.bad.guy". The have a namesever "ns1.bad.guy" that returns something like ;; ANSWER SECTION: a.root-servers.net. 86268 IN A 205.189.71.2 Then your cache will be in the "Public-Root.net" . But remember - an authoritative DNS-server cannot be poisoned. Regards, Peter Dambier -- Peter und Karin Dambier Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-6252-599091 (O2 Genion) +49-6252-750308 (Sipgate VoIP) peter () peter-dambier de www.peter-dambier.de peter-dambier.site.voila.fr
Current thread:
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations, (continued)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Eric Louie (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Daniel Golding (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Jason Frisvold (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Mikael Abrahamsson (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Florian Weimer (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Jason Frisvold (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Matthew Sullivan (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Randy Bush (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Rachael Treu Gomes (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Florian Weimer (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Peter & Karin Dambier (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Tony Rall (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations JC Dill (Apr 19)