DNS cache poisoning attacks -- are they real?
Chris Brenton
cbrenton at chrisbrenton.org
Mon Mar 28 11:44:59 UTC 2005
On Mon, 2005-03-28 at 01:04, John Payne wrote:
>
> And to Randy's point about problems with open recursive nameservers...
> abusers have been known to cache "hijack". Register a domain,
> configure an authority with very large TTLs, seed it onto known open
> recursive nameservers, update domain record to point to the open
> recursive servers rather than their own. Wammo, "bullet proof" dns
> hosting.
I posted a note to Bugtraq on this process about a year and a half ago
as at the time I noticed a few spammers using this technique. Seems they
were doing this to protect their NS from retaliatory attacks.
http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00164.html
Large TTLs only get you so far. All depends on the default setting of
max-cache-ttl. For Bind this is 7 days. MS DNS is 24 hours. Obviously
spammers can do a lot of damage in 7 days. :(
HTH,
Chris
More information about the NANOG
mailing list