DNS attacks evolve

Jack Bates jbates at brightok.net
Mon Aug 11 09:41:54 CDT 2008


Joe Greco wrote:
> 
> 6) Have someone explain to me the reasoning behind allowing the corruption
>    of in-cache data, even if the data would otherwise be in-baliwick.  I'm 
>    not sure I quite get why this has to be.  It would seem to me to be safer
>    to discard the data.  (Does not eliminate the problem, but would seem to
>    me to reduce it)
> 
I had this question in my post weeks ago. No one bothered to reply. Older 
poisoning is why the auth data must be within the same zone to be cached, but 
apparently no one bothered to question the wisdom of altering existing cache data.

Wish they'd just fix the fault in the logic and move on. Talking til everyone is 
blue in the face about protocol changes and encryption doesn't serve operations. 
There are recursive resolvers that work just fine without the issues some 
standard resolvers have. The protocol seems to work, some vendors just need to 
change how they use it and tighten up on cache integrity.

> 7) Have someone explain to me the repeated claims I've seen that djbdns and
>    Nominum's server are not vulnerable to this, and why that is.
> 

PowerDNS has this to say about their non-vulnerability status:

http://mailman.powerdns.com/pipermail/pdns-users/2008-July/005536.html

I know some very happy providers that haven't had to patch. I hope to be one of 
them on the next round.


Jack





More information about the NANOG mailing list