DNS cache poisoning attacks
Kevin Darcy
kcd at chrysler.com
Tue Aug 26 23:52:59 UTC 2008
Trey Valenta wrote:
> On Tue, Aug 26, 2008 at 09:18:11AM -0000, EL MAAYATI Afaf wrote:
>
>> The line " query-source address x port 53;" is already disabled;
>>
> > # dig @192.168.2.3 +short porttest.dns-oarc.net txt
>
>> Porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.n
>> et.
>>
>>> "192.168.2.3 is POOR: 26 queries in 6.4 seconds from 1 ports with std
>>>
>> dev 0"
>>
>
> Did you modify the IP addresses in your post, or is this _really_ the
> string returned by your query? If you're getting a response with
> "192.168.2.3 is POOR", then I presume you have a firewall that's doing
> all sorts of rewriting the DNS packets. My initial guess is that
> whatever device you use to NAT or PAT the DNS server is the culprit.
>
Good point. The entropy tester should never be seeing the 192.168.x.x
address.
On the other hand, I doubt any firewall/NA(P)T would recognize within,
and rewrite on the fly, the textual representation of an IP address
within a TXT record. The value of doing so is very low, and the risk of
false positives are significant.
So, I tend to think the original poster modified the output so as to not
to identify the public address of his/her resolver.
- Kevin
More information about the bind-users
mailing list