|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Parity (pty.err
gmail.com)
Date: Tue Jul 22 2008 - 06:58:07 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>From DJB's notes:
"Caches must discard yahoo.com information except from the
yahoo.comservers, the com servers, and the root servers."
i.e., the problem with Halvar's guess is that in his example, he elicits
queries for subdomains of .com (ulam00001.com, ulam00002.com, etc) for an
attempted attack on gmx*.net*. The resolver will discard the glue for
ns.gmx.net because .net is outside of the bailiwick of .com.
All we need to do to correct this is elicit queries for subdomains of .net
(e.g., ulam00001.net, ulam00002.net) and then forge replies from the .net
name servers, and then the forged glue records for ns.gmx.net will be
accepted.
pty
On Mon, Jul 21, 2008 at 3:50 PM, Petja van der Lek <lekxs4all.nl> wrote:
> It looks like you're channelling Dan Bernstein, 8 years after the fact.
> See: <http://cr.yp.to/djbdns/notes.html>. What your diabolical scheme
> boils down to is the inappropriate caching of out-of-zone glue records.
> As far as I know, djbdns never cached out-of-zone glue records, and BIND
> stopped doing that with version 9. Um, it did, right? (pokes the *real*
> experts for support)
>
> Cheers,
> Lek.
>
> Halvar Flake wrote:
> [BIG SNIP]
> > Mallory wants to poison DNS lookups on server ns.polya.com for the
> > domain www.gmx.net. The nameserver
> > for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244.
> >
> > Mallory begins to send bogus requests for www.ulam00001.com,
> > www.ulam00002.com ... to ns.polya.com.
> > ns.polya.com doesn't have these requests cached, so it asks a root
> > server "where can I find the .com NS?"
> > It then receives a referral to the .com NS. It asks the nameserver for
> > .com where to find the nameserver
> > for ulam00001.com, ulam00002.com etc.
> >
> > Mallory spoofs referrals claiming to come from the .com nameserver to
> > ns.polya.com. In these referrals, it
> > says that the nameserver responsible for ulamYYYYY.com is a server
> > called ns.gmx.net and that
> > this server is located at 244.244.244.244. Also, the time to live of
> > this referral is ... long ...
> >
> > Now eventually, Mallory will get one such referral spoofed right, e.g.
> > the TXID etc. will be guessed properly.
> > ns.polya.com will then cache that ns.gmx.net can be found at ...
> > 244.244.244.244. Yay.
> >
> > The above is almost certainly wrong. Can someone with more insight into
> > DNS tell me why it won't work ?
> >
> >
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]