[8541] in bugtraq
Re: NT DNS hacked ... ?
daemon@ATHENA.MIT.EDU (Marc Slemko)
Fri Nov 13 16:08:32 1998
Date: Fri, 13 Nov 1998 09:02:29 -0800
Reply-To: Marc Slemko <marcs@ZNEP.COM>
From: Marc Slemko <marcs@ZNEP.COM>
X-To: John Fraizer <John.Fraizer@ENTERZONE.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.32.19981112145032.0076c8e8@pop3.enterzone.net>
On Thu, 12 Nov 1998, John Fraizer wrote:
> You weren't hacked. It was NetSol/InterNIC showing us just how lame they
> are again by corrupting root servers.
>
> http://www.news.com/News/Item/0,4,28664,00.html?st.ne.fd.mdh
The above is unrelated to the below, AFAIK.
> At 11:47 AM 11/11/98 -0500, you wrote:
> >Anyone running MS's DNS notice, overnite or so, their cache files
> >(specifically the root name servers) replaced with a handful of entries for
> >allegro.net ... ?
The only thing that the Internic being idiots would have done, as far as I
have any evidence of, is claim that .com domains do not exist.
If your nameserver's cache was corrupted to think that allegro.net is
authoritative for .com (or .), then that is NOT related. While I would
need exact output from sample queries to the server to tell for sure, it
would appear that, if what the poster above said is true, the software
they are running is vulnerable to cache pollution, just like old versions
of BIND are. This is quite bad, both because someone with malicious
intent can do evil things and because there are an increasing number of
accidental situations where people somehow misconfigure their servers to
claim false authority.
As always, upgrade to a current version of BIND 8.x. In theory, the
latest 4.9 isn't vulnerable either but I don't trust it. If you are
running software from some other vendor, contact them to ensure that it
does not suffer from such problems.
