nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS cache poisoning attacks -- are they real?

From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 29 Mar 2005 13:04:53 +0200

* Brad Knowles:


At 12:09 AM +0200 2005-03-28, Florian Weimer wrote:


 I doubt this will work on a large scale.


      It's already been done on a large scale.


                                           At least recent BIND
 resolvers would discard replies from the abused caching resolvers
 because they lack the AA bit, so only clients using the resolvers as
 actual resolvers are affected.


      Incorrect.


Indeed.


The resolver requiring that the AA bit be set would prohibit anyone
from forwarding queries to another server, which might be answering
from cache.


Would you point me to such a configuration?  I don't think it will
work reliably for this purpose because BIND 9 only waives the
requirement for the AA bit if the authority section of the response
remotely looks like a referral.  I doubt that this is the case if you
simply redirect to a cache.
Previous By Date Next
Previous By Thread Next

Current thread: