North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: DNS cache poisoning attacks -- are they real?
- From: Florian Weimer
- Date: Tue Mar 29 06:06:15 2005
* Brad Knowles:
> At 12:09 AM +0200 2005-03-28, Florian Weimer wrote:
>> I doubt this will work on a large scale.
> It's already been done on a large scale.
>> At least recent BIND
>> resolvers would discard replies from the abused caching resolvers
>> because they lack the AA bit, so only clients using the resolvers as
>> actual resolvers are affected.
> The resolver requiring that the AA bit be set would prohibit anyone
> from forwarding queries to another server, which might be answering
> from cache.
Would you point me to such a configuration? I don't think it will
work reliably for this purpose because BIND 9 only waives the
requirement for the AA bit if the authority section of the response
remotely looks like a referral. I doubt that this is the case if you
simply redirect to a cache.