Bind9 and Cache Poisoning problems

Kevin Darcy kcd at daimlerchrysler.com
Mon Sep 12 21:37:39 UTC 2005 

I think you're mixing up two different things. "Cache poisoning" usually 
refers to the acceptance of untrusted data in a normal response packet, 
such that future queries will be answered incorrectly, e.g. a DNS query 
of evil.com might have some bogus good.com records in the response, 
which if accepted, will cause subsequent queries of good.com to be 
misdirected to the wrong site, which might steal passwords, etc. 
"Response spoofing", on the other hand, uses query ID prediction (or 
other methods) to get a resolver to accept a response as coming from a 
trusted source, when in fact the source is not trusted. E.g. a resolver 
queries good.com, and a bogus answer resolving good.com to 9.9.9.9, the 
address of a malicious site, with a credible query ID, reaches the 
resolver and is accepted, before the proper answer, resolving good.com 
to 1.1.1.1, is seen.

Cache poisoning is generally not a problem for modern versions of BIND, 
although I understand that it is still possible to accomplish in some 
forwarding configurations (yet another reason to avoid forwarding 
whenever possible). Spoofed responses are, between nodes with an 
existing trust relationship, preventable using shared-key 
authentication, i.e. TSIG, but won't really be solvable on a large scale 
until DNSSEC is widely implemented.

- Kevin

Hyung-Jin Kim wrote:

>Can anybody help clarify about Bind9 and Cache Poisoning problems?=20
>I tried to find any specific mention of this mail-list but I couldn't.
>
>I understand that BIND 8 and BIND 9 both have the problem about birthday
>attack.
>and birthday attack can break the random query ID and it doesn't rely on =
>the
>bind versions.
>(when the huge number of Queries with Reponses arrives, the record have =
>the
>possibility to poisoned in the name server's cache)
>
>Although, I found at the ISC Web Page that BIND9 appears to fix this =
>problem
>and
>all name servers used as forwarders should be upgraded to BIND 9 for
>protecting against cache poisoning.
>
>In that case, I wonder If the DNS cache poisoning isn't possible with
>version of BIND9 then,=20
>what is the point to be updated in Bind9 for prevent from cache =
>Poisoning
>attacks except ACLs & BlackHolings ?
>
>Thanks for any help.
>
>Hyung-jin, Kim=20
>National Internet Development Agency of Korea (NIDA)
>
>
>
>
>
>  
>

More information about the bind-users mailing list