how to protect name servers against cache corruption

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In article <19970730001246.22933 at netmonger.net>, you wrote:
>_details_.  Paul has written papers on DNS security, along with BIND
>itself, and I'm inclined to believe him when he says there are no more
>trivial fixes.  If you know of one, why don't you share it?  I'm not

Fair enough.

Here's a simple piece of input. If BIND 8.1.1 receives a DNS query
response with an invalid query ID, it logs it and drops the packet.
However, the invalid query ID is evidence of an attack in progress. Why
doesn't BIND parse the packet, find out what question is being answered,
and immediately re-issue the query with a different ID?

In other words, it's possible for BIND to detect that it is under attack
(in a response-forged query-ID guessing situation). BIND doesn't do
anything about this. Why?

Just the simplest suggestion I can come up with (without having this go
into multiple pages) to convey the idea that I am trying to be
constructive here. 

I'm not sure this is the appropriate forum for this discussion 
(*copout*Ididn'tstartthisthread*copout*), but if you want further details
as to my harebrained suggestions, I'm happy to give them!

-- 
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf at enteract.com]
----------------
exit(main(kfp->kargc, argv, environ));

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]