[11610] in bugtraq
Dynamic DNS
daemon@ATHENA.MIT.EDU (Jethro Tull)
Mon Aug 30 18:34:53 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.9908281959080.24118-100000@dqc.org>
Date: Sat, 28 Aug 1999 20:08:36 -0700
Reply-To: Jethro Tull <jethro@DQC.ORG>
From: Jethro Tull <jethro@DQC.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
The following is taken directly from RFC2136.
(http://www.isi.edu/in-notes/rfc2136.txt)
--
8.1. In the absence of [RFC2137] or equivalent technology, the
protocol described by this document makes it possible for anyone who
can reach an authoritative name server to alter the contents of any
zones on that server. This is a serious increase in vulnerability
from the current technology. Therefore it is very strongly
recommended that the protocols described in this document not be used
without [RFC2137] or other equivalently strong security measures,
e.g. IPsec.
8.2. A denial of service attack can be launched by flooding an update
forwarder with TCP sessions containing updates that the primary
master server will ultimately refuse due to permission problems.
This arises due to the requirement that an update forwarder receiving
a request via TCP use a synchronous TCP session for its forwarding
operation. The connection management mechanisms of [RFC1035 4.2.2]
are sufficient to prevent large scale damage from such an attack, but
not to prevent some queries from going unanswered during the attack.
--
All Dynamic DNS services that I know of are vulnerable .
I am not going to include code, but it is a trivial task to spoof a packet
(UDP or TCP) with RR data in the
format this RFC specifies. In other words, anyone can manipulate RR
records by sending bogus data
because the only authentication is IP.
That is all I have to say about that.
jethro
"If I had of only known, I would have been a locksmith" - Albert Einstein
