Help Understanding Cache Poisoining

[Barry Margolin]

In article <ekas3n$2ala$1 at sf1.isc.org>,
 "Will" <westes-usc at noemail.nospam> wrote:

> But the question was *how* does that poisoining happen?    I see how a
> hacker can do a denial of service attack, but not how they can get the
> resolver to enter in bad values.

Often cache poisoning requires the resolver to look up names in a 
particular domain that's legitimately delegated to the poisoner's 
servers.  The response to that query contains the "poison" data that 
gets entered into the cache.

With a closed recursive server, you have to get one of the ISP's 
customers to try to look up this domain -- maybe infect him with a 
virus, use a domain that's a misspelling of a common domain, send him 
spam with a link to your domain, etc.

But with an open server, all you have to do is send a query to the 
server.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***