how to protect name servers against cache corruption
Jay R. Ashworth
jra at scfn.thpl.lib.fl.us
Wed Jul 30 13:15:35 UTC 1997
On Wed, Jul 30, 1997 at 04:38:59AM -0000, tqbf at smtp.enteract.com wrote:
> >itself, and I'm inclined to believe him when he says there are no more
> >trivial fixes. If you know of one, why don't you share it? I'm not
>
> Fair enough.
>
> Here's a simple piece of input. If BIND 8.1.1 receives a DNS query
> response with an invalid query ID, it logs it and drops the packet.
> However, the invalid query ID is evidence of an attack in progress. Why
> doesn't BIND parse the packet, find out what question is being answered,
> and immediately re-issue the query with a different ID?
If a copy of BIND _receives_ a query, decides it's bogus, logs it, and
drops it, then a question isn't _being_ answered, it's bing _asked_.
Why _would_ BIND re-issue a query. it hadn't _issued_ that query in
the first place. Or, in simpler terms, "huh"?
> In other words, it's possible for BIND to detect that it is under attack
> (in a response-forged query-ID guessing situation). BIND doesn't do
> anything about this. Why?
This isn't so much a security bug, but more a lack of a security-enhancing
feature. It _certainly_ doesn't merit the veiled character assination
you've been using it to justify.
> Just the simplest suggestion I can come up with (without having this go
> into multiple pages) to convey the idea that I am trying to be
> constructive here.
You've failed.
> I'm not sure this is the appropriate forum for this discussion
> (*copout*Ididn'tstartthisthread*copout*), but if you want further details
> as to my harebrained suggestions, I'm happy to give them!
Time to move this to bind-workers, no? Perry, Paul?
Cheers,
-- jra
--
Jay R. Ashworth jra at baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "People propose, science studies, technology
Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
More information about the NANOG
mailing list