[78981] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sun Mar 27 17:14:31 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: nanog@merit.edu
Date: Mon, 28 Mar 2005 00:14:01 +0200
In-Reply-To: <6C057669C376541BCA1D2F29@[192.168.2.4]> (Alex Bligh's message of
"Sat, 26 Mar 2005 22:36:05 +0000")
Errors-To: owner-nanog@merit.edu
* Alex Bligh:
> --On 26 March 2005 23:23 +0100 Florian Weimer <fw@deneb.enyo.de> wrote:
>
>> Should we monitor for evidence of hijacks (unofficial NS and SOA
>> records are good indicators)? Should we actively scan for
>> authoritative name servers which return unofficial data?
>
> And what if you find them?
If leaking unofficial data were considered a capital offense (in
Internet terms), many ISPs would take action. Apparently, it's not,
so detection is pretty much pointless.
> The only way you are going to prevent packet level (as opposed to
> organization level) DNS hijack is get DNSSEC deployed.
DNS cache poisoning (at least in the form which prompted me to start
this thread) is a quality-of-implementation issue. DNSSEC will not
magically increase code quality (but it will definitely increase
complexity), that's why I don't share the enthusiasm of the DNSSEC
crowed. 8->