pharming.. dns cache insertion...

bruce bedouglas at earthlink.net
Sat Apr 9 21:45:40 UTC 2005


brad...

thanks for continuting this conversation with me!!

so let me go one step further.. let's say you can poll all the nameservers,
this in and of itself won't get you the IP Address for www.example.com..
you'd have to follow the chain down until you get to the dns server(s) for
www.example.com. is that right?

once you get a DNS for a given URL, i assume that you have to then find all
the valid authoritative DNS servers for the URL......

and if by your example using www.google.com, you might have alot of
different valid IP addresses being returned, due to the load balancing
issues. am i restating your points correctly?

if i am, then in theory, it appears to me that one could essentially build a
reasonably accurate list of valid IP Addresses for a given URL... in order
to maintain the accuracy, one would have to continually 'build/maintain' the
list, but it seems that it could be done.. am i missing something?

also, if i get an IP Address for a given URL, how do you determine if it's
really valid? would you have to go back to the authoritative DNS to see if
the IP is valid. is there a list somewhere for a URL of the valid IP
Addesses for that URL?

thanks for what might be basic questions?

if you're in the US, i could give you a call!!

thanks!

bruce
bedouglas at earthlink.net



-----Original Message-----
From: Brad Knowles [mailto:brad at stop.mail-abuse.org]
Sent: Saturday, April 09, 2005 1:59 PM
To: bedouglas at earthlink.net
Cc: 'Barry Margolin'; comp-protocols-dns-bind at isc.org
Subject: RE: pharming.. dns cache insertion...


At 10:32 AM -0700 2005-04-09, bruce wrote:

>  how does one/could one go about determining if an IP Address is actually
>  valid...

	Without DNSSEC, you have to start trusting somebody, somewhere.
Generally, this means that you trust the root nameservers.  So, you
follow the chain down.  If you want to check out www.example.com, you
first go to the root nameservers to see who the nameservers are for
.com.  You then go to the nameservers for .com to see who the
nameservers are for example.com.  You then go to the nameservers for
example.com to see if there are different nameservers for
www.example.com.  Assuming that there are not, you then ask the
nameservers for example.com what the IP address(es) is/are for
www.example.com.

	This is basically the same process that your caching/recursive
nameserver will have done, only you do this process separately to
validate the information in your caching/recursive nameserver.  Tools
like "doc" will automatically check this chain of delegation
information for you.

>  but if i poll 500-1000 DNS servers for a given IP Address, shouldn't i
start
>  to see patterns that tell me what the valid IP addresses are for the URL,
so
>  that an address that gets returned to me (or a false one that's hard
coded)
>  could be identified as being false...

	Not really.  Check www.google.com.  Check that from a thousand
different places in the world, and you may get a thousand different
answers because of the way they do load balancing.  Check the root
nameservers, and you *will* get different answers, because of the way
that some of them do load-balancing.  Check anyone that uses Akamai
or Akamai-type distribution networks.

	Don't bother polling other nameservers.  Even if they were to
answer you, the answers they get may not be any more valid for you
than anything else you might see from anywhere else.  The only
answers you can be reasonably sure are valid are those which you get
from the authoritative nameservers for that domain.

	Of course, that entire process breaks down with DNS cache
poisoning or pollution (poisoning is when this sort of stuff is done
intentionally, it's called pollution if it's done accidentally), but
without DNSSEC, there's not any other way to deal with this problem.

--
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the bind-users mailing list