Home page logo

bugtraq logo Bugtraq mailing list archives

Re: The out-of-domain NS registration attack
From: cmadams () HIWAAY NET (Chris Adams)
Date: Mon, 20 Mar 2000 10:10:59 -0600

Once upon a time, Sanford Whiteman <sanford.whiteman () INTERNAL CONVEY COM> said:
Dave, you are certainly correct.  We just performed a giant name server
migration and can verify that NSI's database has dual primary keys, or
what-have-you, that prevent the attack.  A name server's IP address can only
be associated with one NIC handle...once you bind a hostname to the IP, the
hostname is bound to the NIC handle as well.  The only way to change this
information is to be the contact for the name server's domain.  No one else
can duplicate either of the keys.

What you are missing is this: if a domain has name servers that do NOT
exist in the root server list, they can be changed.  The original
example of hotmail.com was a good one.

hotmail.com.            12m40s IN NS    ns3.hotmail.com.
hotmail.com.            12m40s IN NS    ns1.jsnet.com.
hotmail.com.            12m40s IN NS    ns1.hotmail.com.

ns1.jsnet.com is not a registered name server, so you could try to
register an IP address for it other than its real address.

Now, if NetSol (and all of the registrars) restrict registration of a
name server to the technical/zone contacts for the domain (jsnet.com in
the above case), you _should_ still be okay.

Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]