Not sure if my DNS is vulnerable?
Ben Croswell
ben.croswell at gmail.com
Wed Aug 13 13:56:54 UTC 2008
I would say you are "less vulnerable", but you are still vulnerable.
It is only a matter of time before someone integrates the exploit code into
a webpage.
One of your internal users goes to the web page which has the browser
resolve somehost.evil.org. The attacker now knows the IP of your outbound
DNS server. At this point I would guess, it wouldn't to difficult to have
javascript on the webpage force the browser to do the actual DNS queries
from the inside. Once those go out the attacker spams the answer back to
win the race.
Anyone else can correct me if I am too far off base.
--
-Ben Croswell
On Wed, Aug 13, 2008 at 9:15 AM, John Smith <n6s7a6 at gmail.com> wrote:
> So I have a caching only DNS server that is behind a firewall and has no
> incoming connections allowed unless specifically requested from inside. My
> DNS server does contact the root DNS servers upstream. But again incoming
> conections are only allowed into my DNS server unless the originated from
> the inside.
> As far as I understand the problem for the recent DNS issues is from
> someone
> on the outside of my firewall ( I am ignoring an attack from the inside)
> would have to send my DNS server (which they cannot) some DNS requests in
> order to get a reply for them to attack?
> Am I right? so since I do not have external access to port 53 I am
> relatively safe?
>
> Since my DNS is not randomizing ports but is radomizign transaction id's?
>
> Just curious.
>
>
>
>
More information about the bind-users
mailing list