idea about forging dns data
Sami Kerola
kerolasa at rotta.media.sonera.net
Wed Aug 31 13:15:46 UTC 2005
Hello,
I am hostmaster and while ago co-worker asked is it possible to
lie 2000-3000 names in resolver. His noble cause was kiddie porn
sites which should resolve as some other IP than the real site
where immoral materal exists.
First idea was to declare zone as a master on resolver and make it
empty. Unfortunately all other hosts in same domain will stop
working. This "solution" is also quite hard to keep clear because
of many many zone files.
Second I thougt zone transfer from root server and putting bad
names into root file where they'd be served. But that does not
work because names in root file are not authoritative and resolver
will look data from authorative server.
Third and last idea I came up with was cache poisoning. If there
would be some deterministic way poison our own resolvers so that
every single record could be forgery. This "forgery" zone could
even have master server and there could be many sources of forgery
records. So that one blocks kiddie porn, one blocks hoax web pages
etc. What I know current bind does not have this kind of features,
but how hard developing these could be? If this feature is
possible does anyone else see anything good in this, mayby so much
good that this feature will be developed?
Before everyone starts to shout about politics etc please read
chapter below.
I am fully aware that all ideas above breaks DNS. I also
acknowledge that data forgery zone is perfert tool for internet
censorship and impacts negative way on freedom of speak. Putting
nonsense into resolver cache migth also causes mystical failures
everyone who uses the resolver.
--
Sami Kerola
http://personal.inet.fi/atk/kerolasa/
More information about the bind-users
mailing list