DNS cache poisoning attacks -- are they real?

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 27, 2005, at 1:25 PM, Christopher L. Morrow wrote:

> Larger providers have the problem that you can't easily filter
> 'customers' from 'non-customers' in a sane and scalable fashion.

Hrm?  Larger providers tend to have old swamp space lying around :)

Throw the resolvers on a netblock that's not routed out to your border 
routers (transit, peering), only the customer facing ones... with a 
secondary address that is routed.  Secondary address doesn't listen for 
queries, only answers.

And to Randy's point about problems with open recursive nameservers... 
abusers have been known to cache "hijack".  Register a domain, 
configure an authority with very large TTLs, seed it onto known open 
recursive nameservers, update domain record to point to the open 
recursive servers rather than their own.  Wammo, "bullet proof" dns 
hosting.

(Yeah, it'd be nice if people didn't listen to non-AA answers to their 
queries, but they do).

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]