Bind9 and Cache Poisoning problems
Kevin Darcy
kcd at daimlerchrysler.com
Mon Sep 12 21:37:39 UTC 2005
I think you're mixing up two different things. "Cache poisoning" usually
refers to the acceptance of untrusted data in a normal response packet,
such that future queries will be answered incorrectly, e.g. a DNS query
of evil.com might have some bogus good.com records in the response,
which if accepted, will cause subsequent queries of good.com to be
misdirected to the wrong site, which might steal passwords, etc.
"Response spoofing", on the other hand, uses query ID prediction (or
other methods) to get a resolver to accept a response as coming from a
trusted source, when in fact the source is not trusted. E.g. a resolver
queries good.com, and a bogus answer resolving good.com to 9.9.9.9, the
address of a malicious site, with a credible query ID, reaches the
resolver and is accepted, before the proper answer, resolving good.com
to 1.1.1.1, is seen.
Cache poisoning is generally not a problem for modern versions of BIND,
although I understand that it is still possible to accomplish in some
forwarding configurations (yet another reason to avoid forwarding
whenever possible). Spoofed responses are, between nodes with an
existing trust relationship, preventable using shared-key
authentication, i.e. TSIG, but won't really be solvable on a large scale
until DNSSEC is widely implemented.
- Kevin
Hyung-Jin Kim wrote:
>Can anybody help clarify about Bind9 and Cache Poisoning problems?=20
>I tried to find any specific mention of this mail-list but I couldn't.
>
>I understand that BIND 8 and BIND 9 both have the problem about birthday
>attack.
>and birthday attack can break the random query ID and it doesn't rely on =
>the
>bind versions.
>(when the huge number of Queries with Reponses arrives, the record have =
>the
>possibility to poisoned in the name server's cache)
>
>Although, I found at the ISC Web Page that BIND9 appears to fix this =
>problem
>and
>all name servers used as forwarders should be upgraded to BIND 9 for
>protecting against cache poisoning.
>
>In that case, I wonder If the DNS cache poisoning isn't possible with
>version of BIND9 then,=20
>what is the point to be updated in Bind9 for prevent from cache =
>Poisoning
>attacks except ACLs & BlackHolings ?
>
>Thanks for any help.
>
>Hyung-jin, Kim=20
>National Internet Development Agency of Korea (NIDA)
>
>
>
>
>
>
>
More information about the bind-users
mailing list