Lots of cache poisoning going on
Barry Margolin
barmar at genuity.net
Fri Mar 8 19:52:23 UTC 2002
For the past week our caching-only nameservers have been having lots of
trouble with cache poisoning. We've been seeing COM delegated to
domainmonger.com.com [sic], adsldns.com, and gdcn.com servers. Last week
we were also seeing delegations to domainname.at, who had a wildcard A
record for *.com pointing everything to their server, but it looks like
they've fixed this.
We're running 8.2.3 currently, and our server administrators are working on
upgrading all our servers to 8.3.1. Meanwhile we've been adding servers to
the bogus servers configuration as we encounter them, but that doesn't seem
to be stopping the problem completely; I suspect that we're being poisoned
by third parties sending us these bogus NS records, so we'll have to
examine named_db.dump to find out where they're coming from.
Has anyone else been encountering this problem, or are we being targetted?
Is upgrading likely to solve our problem, or is someone seeing it with
8.3.1? I was under the impression that all the recent BIND 8 versions were
pretty safe against cache corruption, and that the last few security fixes
were related to buffer overflows.
I wonder if someone may be sending us packets with the source address
forged to be one of the real GTLD servers. If A.GTLD-SERVERS.NET seemed to
be sending us a new delegation for COM, we'd believe it, wouldn't we?
--
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list