CVE-2012-1033 (Ghost domain names) mitigation

Lyle Giese lyle at lcrcomputer.net
Thu Feb 9 17:43:15 UTC 2012 

On 02/09/12 09:56, Matus UHLAR - fantomas wrote:
>>> > Questions:
>>> > (1) It looks to me like if the ghost name is in our
>>> >    DNS RPZ zone, then that 'fixes' the problem for
>>> >    that name.   Is this correct?
>>>
>>> Ghost domain could be redelegated to a new owner and become absolutely
>>> legal.
>
> On 09.02.12 07:36, John Hascall wrote:
>>   Caveat Emptor -- if you buy a former TDSS (or someother evil) domain,
>>   that's just too bad.
>
> unfortunately, RPZ or DNSSEC - solving this problem depends on while 
> world using them, so with this flaw in DNS protocol we're screwed 
> still. When you buy a domain, just check if it's blacklisted anywhere 
> if you want to avoid this
>
>>> > (2) It also looks like restarting bind flushes the cache
>>> >    and that prevents the repopulation of the local cache
>>> >    with names which are ghosts (new different ghost names
>>> >    could, of course, be created).    Is this correct?
>>
>>> AFAIK 'rndc flush' will do the same.
>>
>> Thanks - we're doing a nightly restart for other reasons.
>
> what?
This is just my opinion, but this is not a bug.  It's the side effect of 
a desirable feature called caching.

Yea, we can brainstorm how to mitigate the effect, but in order to 
mitigate a problem, we have to know that there is a problem(revoked or 
bad domain).

1) How would we(as dns server operators) know when a domain name is 
revoked? (Gee sounds like what the US government wants to do and it 
seems the community does not like that idea and I agree it's a bad idea 
to put the US DHS in charge of that list.)

2) Restart or flush our DNS cache frequently?  Let's assume the A record 
TTL is 24 hrs.  And if we decide to flush the cache once a day?  That 
leaves a whole bunch of time that we are open to this and not much 
remaining time for the record in cache.  I fail to see the benefit 
here.  The idea to flush just the 'bad' domain fails due to #1, IMHO.

3) Maybe I don't understand DNS cache and it's relationship with DNSSEC 
yet.  But if my server caches a good answer (verified via DNSSEC), why 
would my server recheck the DNSSEC records until the TTL has elapsed?  
My thinking(and I could be quite wrong here) is that my server will 
cache a good verified answer and DNSSEC does not seem to help here.  
Please let me know where I am wrong here if I am.

Lyle Giese
LCR Computer Services, Inc.

More information about the bind-users mailing list