[Fwd: Re: DNS attacks evolve]
Mike Leber
mleber at he.net
Thu Aug 14 17:07:30 UTC 2008
FYI. There was some question here about whether PowerDNS was vulnerable
or not and what it was doing, so I asked Bert Hubert about it. Here is
his answer:
-------- Original Message --------
Subject: Re: [Fwd: Re: DNS attacks evolve]
Date: Wed, 13 Aug 2008 21:29:50 +0200
From: bert hubert <bert.hubert at netherlabs.nl>
To: Mike Leber <mleber at he.net>
References: <48A08113.6010801 at he.net>
On Mon, Aug 11, 2008 at 11:12:35AM -0700, Mike Leber wrote:
> Is there any post anywhere that provides more technical detail about how
> the PowerDNS cache is not vulnerable?
Mike, very briefly, PowerDNS implements two things: source port
randomization + near miss detection.
Near miss detection is documented here:
http://doc.powerdns.com/built-in-recursor.html
spoof-nearmiss-max
If set to non-zero, PowerDNS will assume it is being spoofed after
seeing this many answers with the wrong id. Defaults to 20.
Some more is in:
http://doc.powerdns.com/recursor-details.html
> I'll post a link to it and provide other operators a better answer than
> the equivalent of "because I say so". The answer could be anything such
> as "we reject updates to glue when", or "it takes 10 years based on
> these calculations...".
Calculations on how long it will take are on
http://blog.netherlabs.nl/articles/2008/08/05/calculating-the-chance-of-spoofing-an-agile-source-port-randomised-resolver
These calculations go beyond what powerdns 3.1.7 does however.
>
> If your vendor told you that you are not at risk they are wrong,
> and need to go re-read the Kaminski paper. EVERYONE is vunerable,
> the only question is if the attack takes 1 second, 1 minute, 1 hour
> or 1 day. While possibly interesting for short term problem
Or 1 year, or 2 years or a century.
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
--
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber Wholesale IPv4 and IPv6 Transit 510 580 4100 |
| Hurricane Electric AS6939 |
| mleber at he.net Internet Backbone & Colocation http://he.net |
+---------------------------------------------------------------------+
More information about the NANOG
mailing list