Vulnerability to cache poisoning -- the rest of the solution

Kevin Darcy kcd at chrysler.com
Fri Jul 11 20:35:01 UTC 2008 

Evan Hunt wrote:
>> Is the "cache poisoning" poisoning of our name servers' cache or of name
>> servers that our recursive queries are using for resolution of external
>> sites (e.g. google.com, yahoo.com, billybob.com)?
>>
>> When you say allowing recursion is the issue are you saying that in the
>> sense that there is a risk from internal sabotage as there is from
>> internet hackers or are you saying simply having it on for internal
>> users somehow also would allow internet hackers to exploit it?
>>
>> Reading your final paragraph makes it seem like you mean it is the
>> latter.
>>
>> Just to make sure I understand recursion:  My assumption is that this is
>> necessary to do lookups for zones for which we are not authoritative
>> like the examples above.   Is that correct?
>>     
>
> Essentially, yes.  The problem is that your resolver, in going out to
> get answers from authoritative servers elsewhere, is at risk of getting
> a *forged* answer from a bad guy, containing bad information, and accepting
> it as valid.  It would then cache the bad information, and continue passing
> it out to your clients for as long as the cache persists.
>
> If any client, inside *or* outside your network, uses your server for
> recursion, then your server is a potential target for this kind of attack.
> And if it hasn't been updated with the patch, the attack may well succeed.
>
>   
Let's be clear here. The problem is *response*forgery*.

The fact that the forged responses may get into the cache and affect 
future lookups only *amplifies* the problem. But even devices that don't 
cache *at*all* (e.g. so-called "DNS proxies") can be affected by this issue.

There have been genuine "cache poisoning" issues in the past (e.g. 
unrelated, malicious data in the Authority or Additional sections of a 
response getting into caches), but this isn't one of them.

Frankly, the media, and even some of the technical experts quoted in the 
media, have been doing a disservice, in my opinion, by constantly 
describing this issue only as "cache poisoning".

Terminology matters.

- Kevin

More information about the bind-users mailing list