What to do about HiNet cache poisoning?

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Apr 23 00:53:00 UTC 2002 

	It's time they got reported to law enforcement authorities.
	Many people have sent them requests to cease and desist.
	They continue to deliberately poison caches.

	Mark

> 
> Are you running a really old version of BIND 8? Later versions are pretty
> much immune to this form of cache poisoning, except, I understand, for
> certain pathological forwarding configurations. I think BIND 9 is
> completely immune.
> 
> In the interim, you can always use "bogus" in a "server" clause, or the
> "blackhole" option, to protect yourself against HiNet's bogus claims of
> authority.
> 
> 
> - Kevin
> 
> Rob van der Putten wrote:
> 
> > Hi there
> >
> > I happen to stumble on this one yesterday;
> > sput:~$ soa in-addr.arpa.
> > in-addr.arpa            SOA     hntp1.hinet.net hostmaster.hinet.net (
> >                         200204180       ;serial (version)
> >                         21600   ;refresh period (6 hours)
> >                         7200    ;retry interval (2 hours)
> >                         3600000 ;expire time (5 weeks, 6 days, 16 hours)
> >                         86400   ;default ttl (1 day)
> >                         )
> >
> > And this morning;
> > sput:~$ ns in-addr.arpa.
> > in-addr.arpa            NS      ipdns2.hinet.net
> > in-addr.arpa            NS      ipdns1.hinet.net
> >
> > HiNet is a notorious spammer. They actually send nothing but spam.
> > Apearently they branched out into cache poisoning.
> >
> > What I think happenend is the following;
> > HiNet tries to deliver mail at my box.
> > My box does a reverse lookup on their IP address.
> > Their NS tells my NS that they are authoritive for in-addr.arpa and my
> > box is foolish enough to cache this data.
> >
> > Various variations on this theme are possible. What they all have in
> > common is a nameserver caching answers to questions it didn't ask.
> >
> > How can I tell my NS to ingnore (don't cache) anything it didn't
> > specificly ask for?
> > Is this possible with Bind 8.x? Do I need Bind 9? Or do I need something
> > completely differend?
> > And why doesn't Bind stick to what's in db.root instead of listening to
> > HiNet lies? The Hinet NS probably claims that their info is more recent.
> > But that doesn't make them more reliable.
> >
> > Regards,
> > Rob
> > --
> > +----------------------------------------------------------------------+
> > |                   Rob van der Putten, rob at sput.nl                    |
> > |                 http://www.sput.nl/spam-policy.html                  |
> > +----------------------------------------------------------------------+
> 
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list