Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS cache poisoning attacks -- are they real?

  • From: Florian Weimer
  • Date: Tue Mar 29 10:44:27 2005

* Chris Brenton:

> In a perfect world, this might be a viable solution. The problem is
> there are far too many legitimate but "broken" name servers out there.
> On an average day I log well over 100 lame servers. If I broke this
> functionality, my helpdesk would get flooded pretty quickly with angry
> users.

Assuming BIND 9:

        /*
         * Is the server lame?
         */
        if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
            is_lame(fctx)) {
                log_lame(fctx, query->addrinfo);
                result = dns_adb_marklame(fctx->adb, query->addrinfo,
                                          &fctx->domain,
                                          now + fctx->res->lame_ttl);
                if (result != ISC_R_SUCCESS)
                        isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
                                      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
                                      "could not mark server as lame: %s",
                                      isc_result_totext(result));
                broken_server = DNS_R_LAME;
                keep_trying = ISC_TRUE;
                goto done;
        }

So if you see something in the logs, it is already broken. 8-)

The discussion in this part of the thread focuses on flagging more
servers as lame (which are currently not detected by BIND or even
logged).




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.