DNS cache poisoning attacks -- are they real?

Florian Weimer fw at deneb.enyo.de
Tue Mar 29 11:04:53 UTC 2005


* Brad Knowles:

> At 12:09 AM +0200 2005-03-28, Florian Weimer wrote:
>
>>  I doubt this will work on a large scale.
>
> 	It's already been done on a large scale.
>
>>                                            At least recent BIND
>>  resolvers would discard replies from the abused caching resolvers
>>  because they lack the AA bit, so only clients using the resolvers as
>>  actual resolvers are affected.
>
> 	Incorrect.

Indeed.

> The resolver requiring that the AA bit be set would prohibit anyone
> from forwarding queries to another server, which might be answering
> from cache.

Would you point me to such a configuration?  I don't think it will
work reliably for this purpose because BIND 9 only waives the
requirement for the AA bit if the authority section of the response
remotely looks like a referral.  I doubt that this is the case if you
simply redirect to a cache.



More information about the NANOG mailing list