mailing list archives
Re: how to protect name servers against cache corruption
From: "Perry E. Metzger" <perry () piermont com>
Date: Wed, 30 Jul 1997 10:03:21 -0400
tqbf () smtp enteract com writes:
In article <19970730001246.22933 () netmonger net>, you wrote:
_details_. Paul has written papers on DNS security, along with BIND
itself, and I'm inclined to believe him when he says there are no more
trivial fixes. If you know of one, why don't you share it? I'm not
Here's a simple piece of input. If BIND 8.1.1 receives a DNS query
response with an invalid query ID, it logs it and drops the packet.
However, the invalid query ID is evidence of an attack in progress. Why
doesn't BIND parse the packet, find out what question is being answered,
and immediately re-issue the query with a different ID?
Oh, beautiful. I'd love a tool like that -- it would give me a way of
forcing copies of BIND that had been rigged not to accept arbitrary
outside queries to make queries of my choice. Were I a systems
cracker, I would love such a tool.
I can think of some other mean hacks I could do with that facility, too.
The problem is not a lack of "clever hacks". The problem is a lack of
security in the DNS protocols without DNSSEC.
In other words, it's possible for BIND to detect that it is under attack
(in a response-forged query-ID guessing situation). BIND doesn't do
anything about this. Why?
Because the idea isn't very intelligent? Because not everyone on earth
is an idiot and stuff like this has been considered before by other
people and rejected because it wasn't a brilliant idea?
Just the simplest suggestion I can come up with (without having this go
into multiple pages) to convey the idea that I am trying to be
No, what you are, Mr. Ptacek, is someone none of us have ever heard of
who is coming in like a bull in a china shop informing us that
although the people who build and maintain things like BIND aren't
very bright, you are out there willing to save us.
Thanks, but no thanks.