|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alexander Sotirov (alex
sotirov.net)
Date: Tue Jul 22 2008 - 12:17:27 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Jul 22, 2008 at 12:16:27PM -0400, Paul Wouters wrote:
> The problem here is that it seems DNS servers are accepting glue within
> a NXDOMAIN answer. I cannot come up with a reason why that should be
> allowed at any time, and I assume it happens more due to programming
> reasons, then due to protocol reasons.
>
> AFAIK, source port randomization just makes the NXDOMAIN race harder, it
> is not the real fix. Not accepting GLUE with NXDOMAIN is the real fix.
No it's not, because the spoofed response packet that the attacker sends
does not have to be a NXDOMAIN. It can have a valid A record for
doesnotexist.google.com (and whatever additional records are needed to
poison the cache).
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkiGFicACgkQ6MVeVwnnQQS94wCdHdddRNCMJZ6qmF5RuJyxqOdr
I4UAoJyCZyoV+/K62msVBRJIN+vFwFzx
=s9pc
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]