Unsuitable for Forwarder use
Tim Peiffer
peiffer at umn.edu
Thu Apr 21 16:24:34 UTC 2005
Is there any description on what is seen in logs, etc to indicate that a
serveris the target or the victim of a cache poisoning attack? I see a
lot of 'update' denied, and 'additional' denied, but none of them can be
pinned down to something trying to influence the cache in a malicious way.
Tim Peiffer
University of Minnesota
List Account wrote:
>I saw this on isc.org and am trying to confirm whether the problems
>we've been seeing are related.
>
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>If a name server -- any name server, whether BIND or otherwise -- is
>configured to use ``forwarders'', then none of the target forwarders
>can be running BIND4 or BIND8. Upgrade all name servers used as
>``forwarders'' to BIND9. There is a current, wide scale
>Kashpureff-style DNS cache corruption attack which depends on BIND4
>and BIND8 as ``forwarders'' targets.
>...
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
>We have a split DNS solution in place. We recently upgraded our
>internal DNS boxes to 9.2.3. Our external 'ns' boxes are still
>running 8.2.4.
>
>Our internal DNS servers are authoritative for example.com, and cannot
>do Internet name resolution on their own. For Internet name
>resolution, we configure select zones as type forward and send
>requests to our Internet NS boxes
>
>Our external DNS servers (totally separate boxes) are also
>authoritative for example.com and are targets for our internal DNS
>server for select Internet domains.
>
>Lately, we've noticed that the our internal DNS get cache corruption
>and believe that example.com SOA is our external DNS boxes.
>
>Am I reading the above advisory correctly? Is the problem I'm seeing
>related to this?
>
>Thanks in advance for your help.
>
> - Frank
>
>
>
More information about the bind-users
mailing list