TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED
Simon Waters
simonw at zynet.net
Thu Jul 24 09:06:25 UTC 2008
On Thursday 24 July 2008 05:17:59 Paul Ferguson wrote:
>
> Let's hope some very large service providers get their act together
> real soon now.
>
> http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html
It isn't going to happen without BIG political pressure, either from users, or
governments, and other bodies.
I checked last night, and noticed TLD servers for .VA and .MUSEUM are still
offering recursion amongst a load of less popular top level domains.
Indeed just under 10% of the authoritative name servers mentioned in the root
zone file still offer recursion.
I didn't check IPv6 servers, but these IPv4 servers are potentially vulnerable
to this (and other) poisoning attacks. Hard to pin down numbers as some have
been patched, and some have unusual behaviour on recursion, but I fancy my
chances of owning more than a handful of TLDs if I had the time to try (and
immunity from prosecution).
The advice NOT to allow recursion on TLD servers is well over a decade old. So
who thinks the current fashionable problem will be patched widely in a
month - given it is much less critical in nature?
The .MUSEUM server that is offering recursion is hosted by the Getty
Foundation, so I assume money isn't the issue. The Vatican ought to be able
to find someone in its billion adherents prepared to help configure a couple
of name servers.
I also noticed that one of the ".US" servers doesn't exist in the DNS proper,
glue exists but not the record in the zone. I'm guessing absence of a name
servers name record in its proper zone makes certain spoofing attacks easier
(since you are only competing with glue records), although I can't
specifically demonstrate that one for blackhat 2008 - it suggests a certain
lack of attention on the part of the domain's administrators.
I was tempted to write a mock RFC, proposing dropping all top level domain
names which still have recursion enabled in one or more of their name
servers - due to "lack of maintanence". A little humour might help make the
point, slashdot might go for it.
More information about the NANOG
mailing list