Vulnerability to cache poisoning -- the rest of the solution

Jeff Lightner jlightner at water.com
Fri Jul 11 18:43:26 UTC 2008 

Thanks.

-----Original Message-----
From: Evan Hunt [mailto:Evan_Hunt at isc.org] 
Sent: Friday, July 11, 2008 2:30 PM
To: Jeff Lightner
Cc: Alan Clegg; bind-users at isc.org
Subject: Re: Vulnerability to cache poisoning -- the rest of the
solution

> Is the "cache poisoning" poisoning of our name servers' cache or of
name
> servers that our recursive queries are using for resolution of
external
> sites (e.g. google.com, yahoo.com, billybob.com)?
> 
> When you say allowing recursion is the issue are you saying that in
the
> sense that there is a risk from internal sabotage as there is from
> internet hackers or are you saying simply having it on for internal
> users somehow also would allow internet hackers to exploit it?
> 
> Reading your final paragraph makes it seem like you mean it is the
> latter.
> 
> Just to make sure I understand recursion:  My assumption is that this
is
> necessary to do lookups for zones for which we are not authoritative
> like the examples above.   Is that correct?

Essentially, yes.  The problem is that your resolver, in going out to
get answers from authoritative servers elsewhere, is at risk of getting
a *forged* answer from a bad guy, containing bad information, and
accepting
it as valid.  It would then cache the bad information, and continue
passing
it out to your clients for as long as the cache persists.

If any client, inside *or* outside your network, uses your server for
recursion, then your server is a potential target for this kind of
attack.
And if it hasn't been updated with the patch, the attack may well
succeed.

--
Evan Hunt -- evan_hunt at isc.org
Internet Systems Consortium, Inc.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list