nanog mailing list archives
Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations
From: Tony Rall <trall () almaden ibm com>
Date: Mon, 18 Apr 2005 14:10:03 -0700
On Monday, 2005-04-18 at 22:08 ZE2, "Peter & Karin Dambier" <peter () peter-dambier de> wrote:
Preventing poisoning attacks: I guess most attacks are against windows workstations.
I'm not sure what you mean by this. Cache poisoning applies to machines that are doing caching. It can affect any machine that depends on that cache.
1) Hide them behind a NAT-router. If they cannot see them, they cannot attack them.
I certainly hope that this would not help. I hope that caching machines will not simply take a packet from a random address and source port 53 and use it to update their cache. I hope that the source address, source port, and destination port, at least, are checked to correspond to an outstanding dns query. If those all match, the packet will very likely get through a nat router. In other words, the nat router provides no protection from this attack at all. Why? Because it's an attack based on traffic that the natted machine has initiated.
2) Have your own DSN-server, root-server, authoritative server, cache. You can have your own root-server: b.root-servers.net and
c.root-servers.net
as well as f.root-servers.net allow cloning. Just run your Bind 9 as a
slave
for "." . An authoritative server cannot be poisoned. Only resolvers
can. Certainly authoritative servers can be poisoned, but not for the domains that they're authoritative for. Running your own root only provides protection for the root zone. If I make a query for www.badguy.com and the auth. server for badguy.com returns an answer for www.yahoo.com in the additional data, if I cache it, I'm likely poisoned. That can happen even if I'm auth. for root. Tony Rall
Current thread:
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations, (continued)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Daniel Golding (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Jason Frisvold (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Mikael Abrahamsson (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Florian Weimer (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Jason Frisvold (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Matthew Sullivan (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Randy Bush (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Rachael Treu Gomes (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Florian Weimer (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Peter & Karin Dambier (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Tony Rall (Apr 18)
- Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations JC Dill (Apr 19)