Exploit for DNS Cache Poisoning - RELEASED

Tony Finch dot at dotat.at
Thu Jul 24 07:21:07 CDT 2008


On Wed, 23 Jul 2008, Kevin Day wrote:
>
> The new way is slightly more sneaky. You get the victim to try to
> resolve an otherwise invalid and uncached hostname like 00001.gmail.com,
> and try to beat the real response with spoofed replies. Except this time
> your reply comes with an additional record containing the IP for
> www.gmail.com to the one you want to redirect it to. If you win the race
> and the victim accepts your spoof for 00001.gmail.com, it will also
> accept (and overwrite any cached value) for your additional record for
> www.gmail.com as well.

RFC 2181 says the resolver should not overwrite authoritative data with
additional data in this manner.

I believe the Matasano description is wrong.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
FORTIES CROMARTY FORTH TYNE DOGGER: EAST OR SOUTHEAST 3 OR 4, INCREASING 5 OR
6 LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.




More information about the NANOG mailing list