A RR && DNS spoofing

Simon Waters Simon at wretched.demon.co.uk
Mon May 27 08:57:02 UTC 2002


Mark_Andrews at isc.org wrote:
> 
> > (2) I read Men & Mice articles about DNS spoofing!
> > I`m wondering is BIND 9.2.x vulnerabile to such attacks?
> 
>         All caching DNS servers are vulnerable to such attacks
>         unless the responses are authenticated via cryptographic
>         methods (DNSSEC/TSIG/IPSEC).

One caching DNS server does open a new socket for each query,
which helps improve the odds, but such attacks are difficult and
likely to produce a lot of logging.

> > Is it beter to set up two internal NS (one for domain.lv serving
> > and other for recursive internal clients)?
> 
>         Slightly, but again this is your choice.

What attack are you concerned about. If you have a large number
of internal recursive DNS servers then it is just like the
Internet, but with smaller numbers of internal recursive DNS
servers (face it only big multisite companies need large numbers
of recursive servers) a poisoning done by a local user would
probably be wide enough in effect to move the hacker forward.

I've yet to see a corporate network where DNS poisoning by
"brute force" spoofing attacks would be the easy route of
attack, or even a necessary route of attack. Up ahead of it on
my security list would be preventing the use of the DNS as a
covert channel by trojans, which means cutting networks free of
the Internet DNS entirely, and this is already seen as a
minority interest by most people (rightly or wrongly).

I guess a good rule of thumb would be if you don't firewall
between company departments/sites, then forget this subtlety you
have bigger fish to fry, if you do already firewall between
departments you've probably already had to consider the flow of
DNS traffic.

BTW: Anyone persuaded BIND to list queries about ".bind" domain
names? Probably another more important issue in intruder
detection ?!


More information about the bind-users mailing list