DNS cache poisoning attacks -- are they real?

Chris Brenton cbrenton at chrisbrenton.org
Mon Mar 28 11:44:59 UTC 2005

On Mon, 2005-03-28 at 01:04, John Payne wrote:
> And to Randy's point about problems with open recursive nameservers... 
> abusers have been known to cache "hijack".  Register a domain, 
> configure an authority with very large TTLs, seed it onto known open 
> recursive nameservers, update domain record to point to the open 
> recursive servers rather than their own.  Wammo, "bullet proof" dns 
> hosting.

I posted a note to Bugtraq on this process about a year and a half ago
as at the time I noticed a few spammers using this technique. Seems they
were doing this to protect their NS from retaliatory attacks. 

Large TTLs only get you so far. All depends on the default setting of
max-cache-ttl. For Bind this is 7 days. MS DNS is 24 hours. Obviously
spammers can do a lot of damage in 7 days. :(


More information about the NANOG mailing list