CVE-2012-1033 (Ghost domain names) mitigation
Matus UHLAR - fantomas
uhlar at fantomas.sk
Thu Feb 9 15:56:07 UTC 2012
>> > Questions:
>> > (1) It looks to me like if the ghost name is in our
>> > DNS RPZ zone, then that 'fixes' the problem for
>> > that name. Is this correct?
>>
>> Ghost domain could be redelegated to a new owner and become absolutely
>> legal.
On 09.02.12 07:36, John Hascall wrote:
> Caveat Emptor -- if you buy a former TDSS (or someother evil) domain,
> that's just too bad.
unfortunately, RPZ or DNSSEC - solving this problem depends on while
world using them, so with this flaw in DNS protocol we're screwed
still.
When you buy a domain, just check if it's blacklisted anywhere if you
want to avoid this
>> > (2) It also looks like restarting bind flushes the cache
>> > and that prevents the repopulation of the local cache
>> > with names which are ghosts (new different ghost names
>> > could, of course, be created). Is this correct?
>
>> AFAIK 'rndc flush' will do the same.
>
>Thanks - we're doing a nightly restart for other reasons.
what?
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
More information about the bind-users
mailing list