What to do about HiNet cache poisoning?

Kevin Darcy kcd at daimlerchrysler.com
Tue Apr 23 00:26:17 UTC 2002 

Are you running a really old version of BIND 8? Later versions are pretty
much immune to this form of cache poisoning, except, I understand, for
certain pathological forwarding configurations. I think BIND 9 is
completely immune.

In the interim, you can always use "bogus" in a "server" clause, or the
"blackhole" option, to protect yourself against HiNet's bogus claims of
authority.


- Kevin

Rob van der Putten wrote:

> Hi there
>
> I happen to stumble on this one yesterday;
> sput:~$ soa in-addr.arpa.
> in-addr.arpa            SOA     hntp1.hinet.net hostmaster.hinet.net (
>                         200204180       ;serial (version)
>                         21600   ;refresh period (6 hours)
>                         7200    ;retry interval (2 hours)
>                         3600000 ;expire time (5 weeks, 6 days, 16 hours)
>                         86400   ;default ttl (1 day)
>                         )
>
> And this morning;
> sput:~$ ns in-addr.arpa.
> in-addr.arpa            NS      ipdns2.hinet.net
> in-addr.arpa            NS      ipdns1.hinet.net
>
> HiNet is a notorious spammer. They actually send nothing but spam.
> Apearently they branched out into cache poisoning.
>
> What I think happenend is the following;
> HiNet tries to deliver mail at my box.
> My box does a reverse lookup on their IP address.
> Their NS tells my NS that they are authoritive for in-addr.arpa and my
> box is foolish enough to cache this data.
>
> Various variations on this theme are possible. What they all have in
> common is a nameserver caching answers to questions it didn't ask.
>
> How can I tell my NS to ingnore (don't cache) anything it didn't
> specificly ask for?
> Is this possible with Bind 8.x? Do I need Bind 9? Or do I need something
> completely differend?
> And why doesn't Bind stick to what's in db.root instead of listening to
> HiNet lies? The Hinet NS probably claims that their info is more recent.
> But that doesn't make them more reliable.
>
> Regards,
> Rob
> --
> +----------------------------------------------------------------------+
> |                   Rob van der Putten, rob at sput.nl                    |
> |                 http://www.sput.nl/spam-policy.html                  |
> +----------------------------------------------------------------------+

More information about the bind-users mailing list