Dailydave mailing list archives
Re: DNS Speculation
From: Alexander Sotirov <alex () sotirov net>
Date: Tue, 22 Jul 2008 10:17:27 -0700
On Tue, Jul 22, 2008 at 12:16:27PM -0400, Paul Wouters wrote:
The problem here is that it seems DNS servers are accepting glue within a NXDOMAIN answer. I cannot come up with a reason why that should be allowed at any time, and I assume it happens more due to programming reasons, then due to protocol reasons. AFAIK, source port randomization just makes the NXDOMAIN race harder, it is not the real fix. Not accepting GLUE with NXDOMAIN is the real fix.
No it's not, because the spoofed response packet that the attacker sends does not have to be a NXDOMAIN. It can have a valid A record for doesnotexist.google.com (and whatever additional records are needed to poison the cache). Alex
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: DNS Speculation, (continued)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Parity (Jul 22)
- Re: DNS Speculation Tetrapodal Giant (Jul 22)
- Re: DNS Speculation Blue Boar (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Dominique Brezinski (Jul 22)
- Message not available
- Re: DNS Speculation Dominique Brezinski (Jul 22)
- Re: DNS Speculation Petja van der Lek (Jul 22)
- Re: DNS Speculation Tyler Krpata (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation ninjaboy (Jul 23)
- Re: DNS Speculation Cedric Blancher (Jul 24)
- Re: DNS Speculation marc_bevand (Jul 25)
- Re: DNS Speculation Bryan Burns (Jul 25)
- Message not available
- Re: DNS Speculation marc_bevand (Jul 28)