Is this a DNS security hole?
Kevin Darcy
kcd at daimlerchrysler.com
Sat May 1 03:04:49 UTC 2004
First of all, I am not an expert in DNS... that's why I am here to
ask for
>help. don't laugh at me if I am wrong.
>
>I have tested this with my domain, this seems like a security hole to me..My
>domain is registered with Register.com
>
>1. Go to Register.com, login to my account (say "mycompany.com", doesn't
>matter)
>2. Add a new DNS entry
>3. They will ask for HOST NAME and IP ADDRESS (they used to ask HOST name
>only, not IP).
>4. type host="testing.victim.com" (the host of the victim)
>5. type ip = "24.102.80.12" (the IP address I want to point to, I just make
>it up)
>6. submit
>7. After 24 hours, all the world's DNS server will resolve
>testing.victim.com as 24.102.80.12. If you PING testing.victim.com from any
>server in the world, say network-tools.com gives you 24.102.80.12
>
>This is not good, now "testing.victim.com" is tied to the IP address, it
>doesn't even try to resolve it from "victim.com" 's DNS server..... why is
>this happening?? I have used http://network-tools.com/nslook/Default.asp
>to verify my result..
>
>If this is true, anyone can hijack other people's domain name using DNS and
>point to his IP address? this is scary..
>
>
The mycompany.com zone cannot contain a testing.victim.com A record. If
the GUI says that, then it is lying. Do some queries, e.g. a zone
transfer, to see whether it's in there or not. My guess is that you have
authority in both the victim.com and mycompany.com zones, and the GUI
just "helpfully" switched zones on you behind the scenes instead of
rudely denying your attempt to add the A record to the wrong zone.
If you *shouldn't* have authority in victim.com and you were able to
create an A record in it using register.com's GUI tool, then it does
indeed have a serious security flaw, IMO, and you should probably report it.
Even in that case, though, it wouldn't be a "DNS" security problem
_per_se_, just a bug in register.com's GUI tool. There are some security
issues with the original DNS protocol, to be sure, and DNSSEC is
attempting to remedy most of them...
- Kevin
More information about the bind-users
mailing list