Understanding Kaminsky exploit w/bind
Jamie Ostrowski
jamie.ostrowski at gmail.com
Mon Apr 15 02:30:41 UTC 2013
Hello,
I hope this isn't too off-topic, but I've been studying the Kaminsky DNS
exploit and I have a question.
According to what I've read on the topic, the Kaminsky exploit hijacks a
whole domain, and that you can launch the attack on a nameserver over and
over. It seems to imply you can do this immediately before waiting for any
TTL's to expire by using a series of random name queries, however, I don't
see how that is possible, and I wonder if anyone can explain this.
I fired up a recursive nameserver running bind 9.4. In another window I
started running a tcpdump session listening for traffic on port 53.
If I perform a query on one of my domains the first time, for
nonexistant-host.mydomain.com, I can see my nameserver querying the roots,
getting a referral to the auth. nameserver for mydomain.com, and then
seeing the query go out to that authoritative nameserver.
That makes sense.
However, if I then fire off another query, for
nonexistant-host2.mydomain.com, I do not see another querying going out to
find the auth nameserver for mydomain.com - because it is cached in my
recursive resolver.
This also makes sense.
But then how is it that an attacker, after he sends his first query for a
non-existant host, if they aren't able to guess the transaction id to spoof
a response before the real response comes in, then won't the resolver have
the cached NS records for that mydomain.com stored with a TTL?
I don't see how you can then launch successive queries for other
non-existant hosts until the cached TTL expires for the domain server.
If anyone can shed any light, I'd appreciate it. I've read several
articles on this topic and it's a piece of the puzzle I've been stumped on.
Thanks!
- Jamie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130414/bc26beda/attachment.html>
More information about the bind-users
mailing list