DNS cache poisoning attacks -- are they real?

Florian Weimer fw at deneb.enyo.de
Tue Mar 29 11:08:50 UTC 2005


* Simon Waters:

>> This is _nothing_ to do with what you're running on the recursive
>> nameserver.  It is doing _exactly_ what it is supposed to do.  Get
>> answers, store in cache, respond to queries from cache if TTL isn't
>> expired.
>
> The answers from a recursive servers won't be marked authoritative (AA bit not 
> set), and so correct behaviour is to discard (BIND will log a lame server 
> message as well by default) these records.

Unfortunately, this is not quite true.  Brad and Chris are right.  I
couldn't believe it either, but after a long stare at BIND's is_lame
function, I have to agree with them.

BIND accepts non-authoritative answers if their additional section
looks a bit like a referral.  I don't tink that this check is
deliberately lax, but stricter checks are simply harder to do on this
particular code path.

> If your recursive resolver doesn't discard these records, suggest
> you get one that works ;)

Which one would?  Keep in mind that referrals do not have the AA bit
set, so a simple filter wouldn't work.



More information about the NANOG mailing list