pharming.. dns cache insertion...

Brad Knowles brad at stop.mail-abuse.org
Sat Apr 9 20:59:19 UTC 2005


At 10:32 AM -0700 2005-04-09, bruce wrote:

>  how does one/could one go about determining if an IP Address is actually
>  valid...

	Without DNSSEC, you have to start trusting somebody, somewhere. 
Generally, this means that you trust the root nameservers.  So, you 
follow the chain down.  If you want to check out www.example.com, you 
first go to the root nameservers to see who the nameservers are for 
.com.  You then go to the nameservers for .com to see who the 
nameservers are for example.com.  You then go to the nameservers for 
example.com to see if there are different nameservers for 
www.example.com.  Assuming that there are not, you then ask the 
nameservers for example.com what the IP address(es) is/are for 
www.example.com.

	This is basically the same process that your caching/recursive 
nameserver will have done, only you do this process separately to 
validate the information in your caching/recursive nameserver.  Tools 
like "doc" will automatically check this chain of delegation 
information for you.

>  but if i poll 500-1000 DNS servers for a given IP Address, shouldn't i start
>  to see patterns that tell me what the valid IP addresses are for the URL, so
>  that an address that gets returned to me (or a false one that's hard coded)
>  could be identified as being false...

	Not really.  Check www.google.com.  Check that from a thousand 
different places in the world, and you may get a thousand different 
answers because of the way they do load balancing.  Check the root 
nameservers, and you *will* get different answers, because of the way 
that some of them do load-balancing.  Check anyone that uses Akamai 
or Akamai-type distribution networks.

	Don't bother polling other nameservers.  Even if they were to 
answer you, the answers they get may not be any more valid for you 
than anything else you might see from anywhere else.  The only 
answers you can be reasonably sure are valid are those which you get 
from the authoritative nameservers for that domain.

	Of course, that entire process breaks down with DNS cache 
poisoning or pollution (poisoning is when this sort of stuff is done 
intentionally, it's called pollution if it's done accidentally), but 
without DNSSEC, there's not any other way to deal with this problem.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the bind-users mailing list