DNS Cache Poisoning
Brad Knowles
brad at stop.mail-abuse.org
Thu Apr 14 01:01:58 UTC 2005
At 12:19 AM +0000 2005-04-14, Bob wrote:
> When BIND gets a response from a remote server, how does it determine
> whether the data in the Authority/Additional sections is intended to poison
> the cache? Thanks.
It can only make educated guesses. If the answer contains
information about servers that are not within that zone (e.g.,
someone trying to stuff in a bogus set of IP addresses for
a.root-servers.net into your cache), that is called "out of zone
glue", and should be ignored. Out of zone glue is not necessarily
always bad, but it can be bad and has been abused in the past. So,
it now gets ignored.
There are other techniques, but they all boil down to things that
have been found over time to have been used in unusual and abusive
ways by attackers, or to have caused frequent cache pollution
problems with systems exhibiting common misconfiguration problems,
and therefore were eliminated in later versions of the code.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list