idea about forging dns data

Peter Dambier peter at peter-dambier.de
Wed Aug 31 14:24:10 UTC 2005 

Sami Kerola wrote:
> Hello,
> 
> I am hostmaster and while ago co-worker asked is it possible to 
> lie 2000-3000 names in resolver. His noble cause was kiddie porn 
> sites which should resolve as some other IP than the real site 
> where immoral materal exists.
> 
> First idea was to declare zone as a master on resolver and make it 
> empty. Unfortunately all other hosts in same domain will stop 
> working. This "solution" is also quite hard to keep clear because 
> of many many zone files.
> 
> Second I thougt zone transfer from root server and putting bad 
> names into root file where they'd be served. But that does not 
> work because names in root file are not authoritative and resolver 
> will look data from authorative server.
> 
> Third and last idea I came up with was cache poisoning. If there 
> would be some deterministic way poison our own resolvers so that 
> every single record could be forgery. This "forgery" zone could 
> even have master server and there could be many sources of forgery 
> records. So that one blocks kiddie porn, one blocks hoax web pages 
> etc. What I know current bind does not have this kind of features, 
> but how hard developing these could be? If this feature is 
> possible does anyone else see anything good in this, mayby so much 
> good that this feature will be developed?
> 
> Before everyone starts to shout about politics etc please read 
> chapter below.
> 
> I am fully aware that all ideas above breaks DNS. I also 
> acknowledge that data forgery zone is perfert tool for internet 
> censorship and impacts negative way on freedom of speak. Putting 
> nonsense into resolver cache migth also causes mystical failures 
> everyone who uses the resolver.
> 

Hi Sami,

today I am in the DNS business because some fools here in
Germany played tricks on a friend using forged DNS.

It was our honorable Regierungspraesident Buessow who installed
the necessary tools to censor some sites he felt not propper for
children.

Collateral damage - some lost lives. Grown up, adult people who
might have been cured if the site

www.julius-hellenthal.de

had not been censored.

They never admitted the censorship. I know from former students
of the Cologne University that what I know is only the tip of
an iceberg.

Regards,
Peter and Karin Dambier


-- 
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter at peter-dambier.de
http://iason.site.voila.fr
http://www.kokoom.com/iason

More information about the bind-users mailing list