bind: how to accept authoritative answers only?
D. J. Bernstein
75628121832146-bind at sublist.cr.yp.to
Sat Jan 27 23:01:58 UTC 2001
I'm sending this message to both the BIND mailing list and the
BIND-replacements mailing list. It's unfortunate that there's so much
misinformation running around.
1. Declarations of authority are a silly feature of the DNS protocol.
They do nothing to stop attackers.
2. dnscache (the caching part of djbdns) and BIND (since 1997) have the
same basic protection against cache poisoning: they accept yahoo.com
information only from the yahoo.com and .com and root servers.
3. Attackers can pose as the yahoo.com and .com and root servers by
forging packets. A sniffing attacker on your network can easily control
your incoming and outgoing DNS information.
4. Installing DNSSEC does nothing to protect you, and it will continue
to do nothing for the foreseeable future. For a detailed analysis, see
http://cr.yp.to/djbdns/forgery.html. That page also describes the
anti-forgery mechanism in development versions of djbdns.
5. Blind forgeries are much easier against BIND than against djbdns,
because BIND keeps using the same UDP port for each query, while djbdns
uses a new hard-to-predict UDP port for each query. (Both programs use
hard-to-predict IDs.)
6. The most widespread attack is completely different: attackers exploit
BIND security holes to take over the BIND program (which usually means
the entire machine). There's a $500 guarantee that djbdns doesn't have
any security holes: http://cr.yp.to/djbdns/guarantee.html.
---Dan
More information about the bind-users
mailing list