Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS cache poisoning attacks -- are they real?

  • From: Florian Weimer
  • Date: Tue Mar 29 06:06:15 2005

* Brad Knowles:

> At 12:09 AM +0200 2005-03-28, Florian Weimer wrote:
>
>>  I doubt this will work on a large scale.
>
> 	It's already been done on a large scale.
>
>>                                            At least recent BIND
>>  resolvers would discard replies from the abused caching resolvers
>>  because they lack the AA bit, so only clients using the resolvers as
>>  actual resolvers are affected.
>
> 	Incorrect.

Indeed.

> The resolver requiring that the AA bit be set would prohibit anyone
> from forwarding queries to another server, which might be answering
> from cache.

Would you point me to such a configuration?  I don't think it will
work reliably for this purpose because BIND 9 only waives the
requirement for the AA bit if the authority section of the response
remotely looks like a referral.  I doubt that this is the case if you
simply redirect to a cache.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.