[14369] in bugtraq
Re: The out-of-domain NS registration attack
daemon@ATHENA.MIT.EDU (Chris Adams)
Tue Mar 21 02:19:33 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000320101059.I25604@HiWAAY.net>
Date: Mon, 20 Mar 2000 10:10:59 -0600
Reply-To: Chris Adams <cmadams@HIWAAY.NET>
From: Chris Adams <cmadams@HIWAAY.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <03BD4485807BD311A9BA00902786F5F80864CC@ERDEV100-NTFS01>; from
sanford.whiteman@INTERNAL.CONVEY.COM on Fri, Mar 17,
2000 at 01:05:06PM -0500
Once upon a time, Sanford Whiteman <sanford.whiteman@INTERNAL.CONVEY.COM> said:
> Dave, you are certainly correct. We just performed a giant name server
> migration and can verify that NSI's database has dual primary keys, or
> what-have-you, that prevent the attack. A name server's IP address can only
> be associated with one NIC handle...once you bind a hostname to the IP, the
> hostname is bound to the NIC handle as well. The only way to change this
> information is to be the contact for the name server's domain. No one else
> can duplicate either of the keys.
What you are missing is this: if a domain has name servers that do NOT
exist in the root server list, they can be changed. The original
example of hotmail.com was a good one.
hotmail.com. 12m40s IN NS ns3.hotmail.com.
hotmail.com. 12m40s IN NS ns1.jsnet.com.
hotmail.com. 12m40s IN NS ns1.hotmail.com.
ns1.jsnet.com is not a registered name server, so you could try to
register an IP address for it other than its real address.
Now, if NetSol (and all of the registrars) restrict registration of a
name server to the technical/zone contacts for the domain (jsnet.com in
the above case), you _should_ still be okay.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.
