DNS cache poisoning attacks -- are they real?
Florian Weimer
fw at deneb.enyo.de
Tue Mar 29 11:04:53 UTC 2005
* Brad Knowles:
> At 12:09 AM +0200 2005-03-28, Florian Weimer wrote:
>
>> I doubt this will work on a large scale.
>
> It's already been done on a large scale.
>
>> At least recent BIND
>> resolvers would discard replies from the abused caching resolvers
>> because they lack the AA bit, so only clients using the resolvers as
>> actual resolvers are affected.
>
> Incorrect.
Indeed.
> The resolver requiring that the AA bit be set would prohibit anyone
> from forwarding queries to another server, which might be answering
> from cache.
Would you point me to such a configuration? I don't think it will
work reliably for this purpose because BIND 9 only waives the
requirement for the AA bit if the authority section of the response
remotely looks like a referral. I doubt that this is the case if you
simply redirect to a cache.
More information about the NANOG
mailing list