[Dailydave] DNS Speculation
natron
shiftnato at gmail.com
Mon Jul 21 20:39:09 EDT 2008
What happens when the glue record isn't out-of-zone? If your RR
request is ulamYYYYY.domain.com, the DNS server would accept a
response for ns1.domain.com.
N
On Mon, Jul 21, 2008 at 2:50 PM, Petja van der Lek <lek at xs4all.nl> wrote:
> It looks like you're channelling Dan Bernstein, 8 years after the fact.
> See: <http://cr.yp.to/djbdns/notes.html>. What your diabolical scheme
> boils down to is the inappropriate caching of out-of-zone glue records.
> As far as I know, djbdns never cached out-of-zone glue records, and BIND
> stopped doing that with version 9. Um, it did, right? (pokes the *real*
> experts for support)
>
> Cheers,
> Lek.
>
> Halvar Flake wrote:
> [BIG SNIP]
>> Mallory wants to poison DNS lookups on server ns.polya.com for the
>> domain www.gmx.net. The nameserver
>> for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244.
>>
>> Mallory begins to send bogus requests for www.ulam00001.com,
>> www.ulam00002.com ... to ns.polya.com.
>> ns.polya.com doesn't have these requests cached, so it asks a root
>> server "where can I find the .com NS?"
>> It then receives a referral to the .com NS. It asks the nameserver for
>> .com where to find the nameserver
>> for ulam00001.com, ulam00002.com etc.
>>
>> Mallory spoofs referrals claiming to come from the .com nameserver to
>> ns.polya.com. In these referrals, it
>> says that the nameserver responsible for ulamYYYYY.com is a server
>> called ns.gmx.net and that
>> this server is located at 244.244.244.244. Also, the time to live of
>> this referral is ... long ...
>>
>> Now eventually, Mallory will get one such referral spoofed right, e.g.
>> the TXID etc. will be guessed properly.
>> ns.polya.com will then cache that ns.gmx.net can be found at ...
>> 244.244.244.244. Yay.
>>
>> The above is almost certainly wrong. Can someone with more insight into
>> DNS tell me why it won't work ?
>>
>>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
More information about the Dailydave
mailing list