Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations

Tony Rall trall at almaden.ibm.com
Mon Apr 18 21:10:03 UTC 2005


On Monday, 2005-04-18 at 22:08 ZE2, "Peter & Karin Dambier" 
<peter at peter-dambier.de> wrote:
> Preventing poisoning attacks:
> 
> I guess most attacks are against windows workstations.

I'm not sure what you mean by this.  Cache poisoning applies to machines 
that are doing caching.  It can affect any machine that depends on that 
cache.
 
> 1) Hide them behind a NAT-router. If they cannot see them, they cannot
> attack them.

I certainly hope that this would not help.  I hope that caching machines 
will not simply take a packet from a random address and source port 53 and 
use it to update their cache.  I hope that the source address, source 
port, and destination port, at least, are checked to correspond to an 
outstanding dns query.  If those all match, the packet will very likely 
get through a nat router.  In other words, the nat router provides no 
protection from this attack at all.  Why?  Because it's an attack based on 
traffic that the natted machine has initiated.

> 2) Have your own DSN-server, root-server, authoritative server, cache.
> 
> You can have your own root-server: b.root-servers.net and 
c.root-servers.net
> as well as f.root-servers.net allow cloning. Just run your Bind 9 as a 
slave
> for "." . An authoritative server cannot be poisoned. Only resolvers 
can.

Certainly authoritative servers can be poisoned, but not for the domains 
that they're authoritative for.  Running your own root only provides 
protection for the root zone.  If I make a query for www.badguy.com and 
the auth. server for badguy.com returns an answer for www.yahoo.com in the 
additional data, if I cache it, I'm likely poisoned.  That can happen even 
if I'm auth. for root.

Tony Rall



More information about the NANOG mailing list