nanog mailing list archives
Re: DNS cache poisoning attacks -- are they real?
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 29 Mar 2005 13:04:53 +0200
* Brad Knowles:
At 12:09 AM +0200 2005-03-28, Florian Weimer wrote:I doubt this will work on a large scale.It's already been done on a large scale.At least recent BIND resolvers would discard replies from the abused caching resolvers because they lack the AA bit, so only clients using the resolvers as actual resolvers are affected.Incorrect.
Indeed.
The resolver requiring that the AA bit be set would prohibit anyone from forwarding queries to another server, which might be answering from cache.
Would you point me to such a configuration? I don't think it will work reliably for this purpose because BIND 9 only waives the requirement for the AA bit if the authority section of the response remotely looks like a referral. I doubt that this is the case if you simply redirect to a cache.
Current thread:
- Re: DNS cache poisoning attacks -- are they real?, (continued)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Sam Hayes Merritt, III (Mar 29)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? bmanning (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 27)
- Blocking port 53 Sean Donelan (Mar 27)
- Re: Blocking port 53 Randy Bush (Mar 27)
- Re: Blocking port 53 John Levine (Mar 27)
- how about the basics? [was: Re: Blocking port 53] Gadi Evron (Mar 28)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Suresh Ramasubramanian (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Suresh Ramasubramanian (Mar 28)