Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations
Peter & Karin Dambier
peter at peter-dambier.de
Mon Apr 18 20:08:01 UTC 2005
> Is it possible to "prevent" poisoning attacks? Is it beneficial, or
> even possible, to prevent TTL's from being an excessively high value?
>
> --
> Jason 'XenoPhage' Frisvold
> XenoPhage0 at gmail.com
>
Preventing poisoning attacks:
I guess most attacks are against windows workstations.
1) Hide them behind a NAT-router. If they cannot see them, they cannot
attack them.
2) Have your own DSN-server, root-server, authoritative server, cache.
You can have your own root-server: b.root-servers.net and c.root-servers.net
as well as f.root-servers.net allow cloning. Just run your Bind 9 as a slave
for "." . An authoritative server cannot be poisoned. Only resolvers can.
When you have sensitive addresses put them into your /etc/hosts or clone
their zone. Again Bind 9 allows it. Do their servers?
Get the zone file via ftp or email. Authoritative servers cannot be
poisoned.
Have your own cache behind the NAT-router. If they cannot see you they
cannot poison you.
There is one exception from the rule:
You browse "www.bad.guy". The have a namesever "ns1.bad.guy" that returns
something like
;; ANSWER SECTION:
a.root-servers.net. 86268 IN A 205.189.71.2
Then your cache will be in the "Public-Root.net" .
But remember - an authoritative DNS-server cannot be poisoned.
Regards,
Peter Dambier
--
Peter und Karin Dambier
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-6252-599091 (O2 Genion)
+49-6252-750308 (Sipgate VoIP)
peter at peter-dambier.de
www.peter-dambier.de
peter-dambier.site.voila.fr
More information about the NANOG
mailing list