[79035] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue Mar 29 06:05:31 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: Brad Knowles <brad@stop.mail-abuse.org>
Cc: Joe Maimon <jmaimon@ttec.com>, nanog@merit.edu
Date: Tue, 29 Mar 2005 13:04:53 +0200
In-Reply-To: <p0620073dbe6cf5038c76@[10.0.1.3]> (Brad Knowles's message of
"Mon, 28 Mar 2005 00:43:22 +0100")
Errors-To: owner-nanog@merit.edu
* Brad Knowles:
> At 12:09 AM +0200 2005-03-28, Florian Weimer wrote:
>
>> I doubt this will work on a large scale.
>
> It's already been done on a large scale.
>
>> At least recent BIND
>> resolvers would discard replies from the abused caching resolvers
>> because they lack the AA bit, so only clients using the resolvers as
>> actual resolvers are affected.
>
> Incorrect.
Indeed.
> The resolver requiring that the AA bit be set would prohibit anyone
> from forwarding queries to another server, which might be answering
> from cache.
Would you point me to such a configuration? I don't think it will
work reliably for this purpose because BIND 9 only waives the
requirement for the AA bit if the authority section of the response
remotely looks like a referral. I doubt that this is the case if you
simply redirect to a cache.
