nanog mailing list archives
TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED
From: Simon Waters <simonw () zynet net>
Date: Thu, 24 Jul 2008 10:06:25 +0100
On Thursday 24 July 2008 05:17:59 Paul Ferguson wrote:
Let's hope some very large service providers get their act together real soon now. http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html
It isn't going to happen without BIG political pressure, either from users, or governments, and other bodies. I checked last night, and noticed TLD servers for .VA and .MUSEUM are still offering recursion amongst a load of less popular top level domains. Indeed just under 10% of the authoritative name servers mentioned in the root zone file still offer recursion. I didn't check IPv6 servers, but these IPv4 servers are potentially vulnerable to this (and other) poisoning attacks. Hard to pin down numbers as some have been patched, and some have unusual behaviour on recursion, but I fancy my chances of owning more than a handful of TLDs if I had the time to try (and immunity from prosecution). The advice NOT to allow recursion on TLD servers is well over a decade old. So who thinks the current fashionable problem will be patched widely in a month - given it is much less critical in nature? The .MUSEUM server that is offering recursion is hosted by the Getty Foundation, so I assume money isn't the issue. The Vatican ought to be able to find someone in its billion adherents prepared to help configure a couple of name servers. I also noticed that one of the ".US" servers doesn't exist in the DNS proper, glue exists but not the record in the zone. I'm guessing absence of a name servers name record in its proper zone makes certain spoofing attacks easier (since you are only competing with glue records), although I can't specifically demonstrate that one for blackhat 2008 - it suggests a certain lack of attention on the part of the domain's administrators. I was tempted to write a mock RFC, proposing dropping all top level domain names which still have recursion enabled in one or more of their name servers - due to "lack of maintanence". A little humour might help make the point, slashdot might go for it.
Current thread:
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Ferguson (Jul 23)
- <Possible follow-ups>
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Ferguson (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Tuc at T-B-O-H.NET (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Ganbold Tsagaankhuu (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Tuc at T-B-O-H.NET (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Tuc at T-B-O-H.NET (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Ferguson (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Sean Donelan (Jul 23)
- TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED Simon Waters (Jul 24)
- Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED John Kristoff (Jul 24)
- Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED Gadi Evron (Jul 24)
- Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED Gadi Evron (Jul 24)
- RE: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED Martin Hannigan (Jul 24)
- RE: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED Gadi Evron (Jul 24)
- RE: TLD servers with recursion was Re: Exploit for DNS CachePoisoning- RELEASED Martin Hannigan (Jul 24)
- Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED Steve Bertrand (Jul 27)
- Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED Gadi Evron (Jul 24)
- Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED Steven M. Bellovin (Jul 24)
- Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - Paul Vixie (Jul 24)