[106159] in North American Network Operators' Group
Re: Exploit for DNS Cache Poisoning - RELEASED
daemon@ATHENA.MIT.EDU (William Herrin)
Wed Jul 23 22:35:30 2008
Date: Wed, 23 Jul 2008 22:34:17 -0400
From: "William Herrin" <herrin-nanog@dirtside.com>
To: "Joe Greco" <jgreco@ns.sol.net>
In-Reply-To: <200807240144.m6O1iMcT031279@aurora.sol.net>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Wed, Jul 23, 2008 at 9:44 PM, Joe Greco <jgreco@ns.sol.net> wrote:
>> Except this time your reply comes with an additional record
>> containing the IP for www.gmail.com to the one you want to redirect it
>> to.
>
> Thought that was the normal technique for cache poisoning. I'm pretty
> sure that at some point, code was added to BIND to actually implement
> this whole bailiwick system, rather than just accepting arbitrary out-
> of-scope data, which it ... used to do (sigh, hi BIND4).
Joe,
I think that's the beauty of this attack: the data ISN'T out of scope.
The resolver is expecting to receive one or more answers to
00001.gmail.com, one or more authority records (gmail.com NS
www.gmail.com) and additional records providing addresses for the
authority records (www.gmail.com A 127.0.0.1).
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
