Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Alexander Sotirov (alexsotirov.net)
Date: Tue Jul 22 2008 - 12:17:27 CDT
On Tue, Jul 22, 2008 at 12:16:27PM -0400, Paul Wouters wrote:
> The problem here is that it seems DNS servers are accepting glue within
> a NXDOMAIN answer. I cannot come up with a reason why that should be
> allowed at any time, and I assume it happens more due to programming
> reasons, then due to protocol reasons.
> AFAIK, source port randomization just makes the NXDOMAIN race harder, it
> is not the real fix. Not accepting GLUE with NXDOMAIN is the real fix.
No it's not, because the spoofed response packet that the attacker sends
does not have to be a NXDOMAIN. It can have a valid A record for
doesnotexist.google.com (and whatever additional records are needed to
poison the cache).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
-----END PGP SIGNATURE-----
Dailydave mailing list