Cert Vulnerability 734644

[trusted linux]

Hi,

I have a question about the CERT 734644. If this is a
problem, we have to do a major upgrade. However, it
does not really convince me that this is a real
threat. Can anybody help clarify it? 

http://www.kb.cert.org/vuls/id/734644 

per 734644, 

 Several versions of the BIND 8 name server are
vulnerable to cache poisoning via negative responses.
To exploit this vulnerability, an attacker must
configure a name server to return authoritative
negative responses for a given target domain. Then,
the attacker must convince a victim user to query the
attacker's maliciously configured name server. When
the attacker's name server receives the query, it will
reply with an authoritative negative response
containing a large TTL (time-to-live) value. If the
victim's site runs a vulnerable version of BIND 8, it
will cache the negative response and render the target
domain unreachable until the TTL expires. 
 
    Assume the victim dns is ns.victim.net, the target
domain is xyz.com, 
    If I interpret this correctly, to run the attack,
the attacker has to do the followings:
 
    1. create and configure a dns server to server as
the authoritative DNS for xyz.com domain, called
dnsxyz.attack.com (or just a IP) - fine. 
    2. convince ns.victim.net to query
dnsxyz.attack.com for any queries for xyz.com (i.e.
www.xyz.com) - how? 
    3. dnsxyz.attack.com replies with negative
response with a big TTL.
 
    The problem is #2. How is it possible? Actually,
without preset trust, this is equivalent to say that
the attacker has already controlled the ns.victim.net.
So, why does he bother to run this attack? 
 
    I understand that birthday attack and space
searching can break the random query ID without
requiring the trust. However this CERT vulnerability
does not seem to rely on these techniques. 
 
thanks,


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com