|
Dailydave
mailing list archives
Re: DNS Speculation
From: Alexander Sotirov <alex () sotirov net>
Date: Tue, 22 Jul 2008 10:17:27 -0700
On Tue, Jul 22, 2008 at 12:16:27PM -0400, Paul Wouters wrote:
The problem here is that it seems DNS servers are accepting glue within
a NXDOMAIN answer. I cannot come up with a reason why that should be
allowed at any time, and I assume it happens more due to programming
reasons, then due to protocol reasons.
AFAIK, source port randomization just makes the NXDOMAIN race harder, it
is not the real fix. Not accepting GLUE with NXDOMAIN is the real fix.
No it's not, because the spoofed response packet that the attacker sends
does not have to be a NXDOMAIN. It can have a valid A record for
doesnotexist.google.com (and whatever additional records are needed to
poison the cache).
Alex
Attachment:
_bin
Description:
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
 By Date 
By Thread
Current thread:
- Re: DNS Speculation, (continued)
Message not available
- Re: DNS Speculation Alexander Sotirov (Jul 22)
Re: DNS Speculation Tyler Krpata (Jul 22)
Re: DNS Speculation Cedric Blancher (Jul 23)
| 
Intro
