idea about forging dns data
Peter Dambier
peter at peter-dambier.de
Wed Aug 31 14:24:10 UTC 2005
Sami Kerola wrote:
> Hello,
>
> I am hostmaster and while ago co-worker asked is it possible to
> lie 2000-3000 names in resolver. His noble cause was kiddie porn
> sites which should resolve as some other IP than the real site
> where immoral materal exists.
>
> First idea was to declare zone as a master on resolver and make it
> empty. Unfortunately all other hosts in same domain will stop
> working. This "solution" is also quite hard to keep clear because
> of many many zone files.
>
> Second I thougt zone transfer from root server and putting bad
> names into root file where they'd be served. But that does not
> work because names in root file are not authoritative and resolver
> will look data from authorative server.
>
> Third and last idea I came up with was cache poisoning. If there
> would be some deterministic way poison our own resolvers so that
> every single record could be forgery. This "forgery" zone could
> even have master server and there could be many sources of forgery
> records. So that one blocks kiddie porn, one blocks hoax web pages
> etc. What I know current bind does not have this kind of features,
> but how hard developing these could be? If this feature is
> possible does anyone else see anything good in this, mayby so much
> good that this feature will be developed?
>
> Before everyone starts to shout about politics etc please read
> chapter below.
>
> I am fully aware that all ideas above breaks DNS. I also
> acknowledge that data forgery zone is perfert tool for internet
> censorship and impacts negative way on freedom of speak. Putting
> nonsense into resolver cache migth also causes mystical failures
> everyone who uses the resolver.
>
Hi Sami,
today I am in the DNS business because some fools here in
Germany played tricks on a friend using forged DNS.
It was our honorable Regierungspraesident Buessow who installed
the necessary tools to censor some sites he felt not propper for
children.
Collateral damage - some lost lives. Grown up, adult people who
might have been cured if the site
www.julius-hellenthal.de
had not been censored.
They never admitted the censorship. I know from former students
of the Cologne University that what I know is only the tip of
an iceberg.
Regards,
Peter and Karin Dambier
--
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter at peter-dambier.de
http://iason.site.voila.fr
http://www.kokoom.com/iason
More information about the bind-users
mailing list