DNS attacks evolve

Jack Bates jbates at brightok.net
Mon Aug 11 10:46:27 CDT 2008

Leo Bicknell wrote:
> If your vendor told you that you are not at risk they are wrong,
> and need to go re-read the Kaminski paper.  EVERYONE is vunerable,
> the only question is if the attack takes 1 second, 1 minute, 1 hour
> or 1 day.  While possibly interesting for short term problem
> management none of those are long term fixes.  I'm not sure your
> customers care when .COM is poisoned if it took the attacker 1
> second or 1 day.

EVERYONE with a CACHE MIGHT be vulnerable. Have studies been done to determine 
if existing cached records will be overwritten on ALL caching resolvers?

Poisoning has always and will always be possible until DNSSEC, but the question 
isn't if you can poison a few off the wall records, but if you can poison the 
resolver in any meaningful way. If the cache isn't passively overwritten, then 
the only records you could poison would be records that aren't cached.

The operational impact would be a much smaller scope. .COM will be cached 
constantly and to poison it, the attacker would have to forge the packet in the 
small window of cache expiry to renewal.

This can be mitigated even more if sites give out auth on negative responses, 
which means for that specific domain, the attacker gets 1 shot to spoof and then 
the auth info is cached. Obviously there is a downside to sending larger 
packets, but that is a decision for the domain holder.

I'll be happy to add DNSSEC to my operational list as soon as it's actually 
useful (other people can argue over who signs what).


More information about the NANOG mailing list