TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED

Simon Waters simonw at zynet.net
Thu Jul 24 04:06:25 CDT 2008


On Thursday 24 July 2008 05:17:59 Paul Ferguson wrote:
>
> Let's hope some very large service providers get their act together
> real soon now.
>
> http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html

It isn't going to happen without BIG political pressure, either from users, or 
governments, and other bodies.

I checked last night, and noticed TLD servers for .VA and .MUSEUM are still 
offering recursion amongst a load of less popular top level domains.

Indeed just under 10% of the authoritative name servers mentioned in the root 
zone file still offer recursion.

I didn't check IPv6 servers, but these IPv4 servers are potentially vulnerable 
to this (and other) poisoning attacks. Hard to pin down numbers as some have 
been patched, and some have unusual behaviour on recursion, but I fancy my 
chances of owning more than a handful of TLDs if I had the time to try (and 
immunity from prosecution).

The advice NOT to allow recursion on TLD servers is well over a decade old. So 
who thinks the current fashionable problem will be patched widely in a 
month - given it is much less critical in nature?

The .MUSEUM server that is offering recursion is hosted by the Getty 
Foundation, so I assume money isn't the issue. The Vatican ought to be able 
to find someone in its billion adherents prepared to help configure a couple 
of name servers.

I also noticed that one of the ".US" servers doesn't exist in the DNS proper, 
glue exists but not the record in the zone. I'm guessing absence of a name 
servers name record in its proper zone makes certain spoofing attacks easier 
(since you are only competing with glue records), although I can't 
specifically demonstrate that one for blackhat 2008 - it suggests a certain 
lack of attention on the part of the domain's administrators.

I was tempted to write a mock RFC, proposing dropping all top level domain 
names which still have recursion enabled in one or more of their name 
servers - due to "lack of maintanence". A little humour might help make the 
point, slashdot might go for it.







More information about the NANOG mailing list