DNS cache poisoning attacks -- are they real?

Florian Weimer fw at deneb.enyo.de
Tue Mar 29 15:43:17 UTC 2005


* Chris Brenton:

> In a perfect world, this might be a viable solution. The problem is
> there are far too many legitimate but "broken" name servers out there.
> On an average day I log well over 100 lame servers. If I broke this
> functionality, my helpdesk would get flooded pretty quickly with angry
> users.

Assuming BIND 9:

        /*
         * Is the server lame?
         */
        if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
            is_lame(fctx)) {
                log_lame(fctx, query->addrinfo);
                result = dns_adb_marklame(fctx->adb, query->addrinfo,
                                          &fctx->domain,
                                          now + fctx->res->lame_ttl);
                if (result != ISC_R_SUCCESS)
                        isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
                                      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
                                      "could not mark server as lame: %s",
                                      isc_result_totext(result));
                broken_server = DNS_R_LAME;
                keep_trying = ISC_TRUE;
                goto done;
        }

So if you see something in the logs, it is already broken. 8-)

The discussion in this part of the thread focuses on flagging more
servers as lame (which are currently not detected by BIND or even
logged).



More information about the NANOG mailing list