Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations
Tony Rall
trall at almaden.ibm.com
Mon Apr 18 21:10:03 UTC 2005
On Monday, 2005-04-18 at 22:08 ZE2, "Peter & Karin Dambier"
<peter at peter-dambier.de> wrote:
> Preventing poisoning attacks:
>
> I guess most attacks are against windows workstations.
I'm not sure what you mean by this. Cache poisoning applies to machines
that are doing caching. It can affect any machine that depends on that
cache.
> 1) Hide them behind a NAT-router. If they cannot see them, they cannot
> attack them.
I certainly hope that this would not help. I hope that caching machines
will not simply take a packet from a random address and source port 53 and
use it to update their cache. I hope that the source address, source
port, and destination port, at least, are checked to correspond to an
outstanding dns query. If those all match, the packet will very likely
get through a nat router. In other words, the nat router provides no
protection from this attack at all. Why? Because it's an attack based on
traffic that the natted machine has initiated.
> 2) Have your own DSN-server, root-server, authoritative server, cache.
>
> You can have your own root-server: b.root-servers.net and
c.root-servers.net
> as well as f.root-servers.net allow cloning. Just run your Bind 9 as a
slave
> for "." . An authoritative server cannot be poisoned. Only resolvers
can.
Certainly authoritative servers can be poisoned, but not for the domains
that they're authoritative for. Running your own root only provides
protection for the root zone. If I make a query for www.badguy.com and
the auth. server for badguy.com returns an answer for www.yahoo.com in the
additional data, if I cache it, I'm likely poisoned. That can happen even
if I'm auth. for root.
Tony Rall
More information about the NANOG
mailing list