OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: The out-of-domain NS registration attack
From: David, Gover (dgoverCINDY.HOL.GR)
Date: Wed Mar 15 2000 - 02:54:40 CST

On Tue, 14 Mar 2000, D. J. Bernstein wrote:

> Let's say an attacker wants to steal your mail to hotmail.com.
>

[snip]

> The attacker then registers a new domain with NSI, using ns1.jsnet.com
> as the domain's server name, but his own IP address for ns1.jsnet.com:
>
> zerosecurity.com NS ns1.jsnet.com
> ns1.jsnet.com A 5.6.7.8

Afaik, you will be unable to do this, as for each host record at NSI, they
also hold an IP address. When you specify ns1.jsnet.com as an NS for
your domain, the IP address NSI already holds for this hostname is used.
Even if you are able to specify a different address for 'ns1.jsnet.com' on
your application form, NSI (should|will) either reject it, or
ns1.jsnet.com will have both the old, and new A record on NSI's
nameservers. Couldn't this lead to other major problems apart from
stealing email?

It's a while since I've registered a domain name with NSI, and so things
may work slightly differently, than I have stated or expect..

Dave