[79049] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue Mar 29 10:43:46 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: Chris Brenton <cbrenton@chrisbrenton.org>
Cc: nanog <nanog@merit.edu>
Date: Tue, 29 Mar 2005 17:43:17 +0200
In-Reply-To: <1112110705.2101.118.camel@grendel> (Chris Brenton's message of
"Tue, 29 Mar 2005 10:38:26 -0500")
Errors-To: owner-nanog@merit.edu
* Chris Brenton:
> In a perfect world, this might be a viable solution. The problem is
> there are far too many legitimate but "broken" name servers out there.
> On an average day I log well over 100 lame servers. If I broke this
> functionality, my helpdesk would get flooded pretty quickly with angry
> users.
Assuming BIND 9:
/*
* Is the server lame?
*/
if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
is_lame(fctx)) {
log_lame(fctx, query->addrinfo);
result = dns_adb_marklame(fctx->adb, query->addrinfo,
&fctx->domain,
now + fctx->res->lame_ttl);
if (result != ISC_R_SUCCESS)
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
"could not mark server as lame: %s",
isc_result_totext(result));
broken_server = DNS_R_LAME;
keep_trying = ISC_TRUE;
goto done;
}
So if you see something in the logs, it is already broken. 8-)
The discussion in this part of the thread focuses on flagging more
servers as lame (which are currently not detected by BIND or even
logged).
