Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Thoughts about DNS...
From: vermont () GATE NET (Illuminati Primus)
Date: Sun, 27 Apr 1997 04:35:36 -0400

On Sun, 27 Apr 1997, Thomas H. Ptacek wrote:

You can't guarantee that every nameserver in the world will support TCP.

Its more dependable than trying to depend on some type of cookie hidden in
areas that arent guaranteed to come back unmangled

[ re: the possibility of manipulating servers into caching NXDOMAIN
      as a result of forgery protection ]

Servers shouldn't cache this unless theyre broken.  And if theyre broken
in this regard, then they most likely also have predictable IDs and all
the other fun stuff that goes along with old software.

Well since we are dealing with these problems right now, we can be
intelligent and not cache a host/IP as broken when we receive spoofed

Ok, just bringing it up. However, we've still prevented a legitimate query
from resolving, so the only choices we have are to play dead or to
incorrectly return an NXDOMAIN (right?).

Well, if the tcp connection also fails, we can return failure and try
again later.. So each lookup request that the attacker generates will give
him one try at guessing the ID number.. And each time, his plans might get
foiled by a successful connection to the real name servers, or a living
sysadmin noticing all of the logs spewing out.. Again, the best protection
would be cryptography

That doesn't work. This is a blind attack; I can make the queries come
from any address in the world I want them to come from. I don't think
anything that relies on router configuration is a solution - do you?

You can probably configure what addresses you'll accept recursive queries
from in the bind config also.. Ill check it out

[ re: TCP vs Cookie Response ]
I think connecting to the servers via TCP would be the better solution,
since it is a capability built into almost every DNS server in existence.

Responding NXDOMAIN to a query is a capability built into every DNS server
in existance. TCP DNS is not. It's an excellent idea, though!

TCP-ready BIND servers are probably 99% of the internet.  However, if you
find that cookies work more reliably, then that would be the superior
solution.  It certainly has more room for strange failures though

If it doesn't, I can continue trying this attack indefinitely until I win.

The same with the cookies, except over a larger range of ID space.  Also:
what do you do if a server doesnt return your cookies?  Return a failure?
Ignore it?

it would be that quick and easy.  This is really a serious problem that
should be addressed.

Agreed. I think the combination of D.O.S. with the ID prediction attack is
the most significant issue here.

Well, with the method I am proposing, a DOS attack will only be possible
if port 53 is unavailable on the authoritative nameservers for the domain
that is being blocked.  So the problem no longer lies in your nameserver,
it is now a problem of the site being blocked for whatever reason, and
would have to be fixed on that end.  What else can be done on our end?

-vermont () gate net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]