BIND ignores queries from specific privileged source ports
Warren Kumari
warren at kumari.net
Mon Jun 10 19:44:16 UTC 2019
On Mon, Jun 10, 2019 at 12:37 PM Grant Taylor via bind-users
<bind-users at lists.isc.org> wrote:
>
> On 6/7/19 8:44 PM, Mark Andrews wrote:
> > Named drops those ports as they can be used in reflection attacks.
> > Sane NAT developers avoid those ports for just that reason. The full
> > list is below.
>
> I understand the logic behind avoiding potentially problematic ports.
>
> But I don't understand the actual attack scenario. Is the attack
> against the BIND server?
The root problem is cache poisoning -- see "The Hitchhiker’s Guide to
DNS Cache Poisoning" Section 3.2 Blind response forgery using birthday
attack ( https://www.cs.cornell.edu/~shmat/shmat_securecomm10.pdf )
for a reasonable writeup.
It's unclear how much protection using the additional port space
actually helps in practice, but...
There are many other mitigations, and the "right" answer is "just use DNSSEC".
W
> I.e. in an attempt to cause BIND to establish
> a never ending loop of packets between itself and the purported address?
> Or is this an attempt to cause BIND to attack a spoofed source with
> said loop?
>
> Nor do I understand why BIND couldn't differentiate between an actual
> query vs a reflected reply, daytime response, chargen, or time packet.
>
> Will someone please explain what I'm failing to understand?
>
>
>
> --
> Grant. . . .
> unix || die
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
More information about the bind-users
mailing list