Cert Vulnerability 734644

Peter Dambier peter at peter-dambier.de
Thu Jun 30 05:06:28 UTC 2005

Kevin Darcy wrote:
> trusted linux wrote:
>>I have a question about the CERT 734644. If this is a
>>problem, we have to do a major upgrade. However, it
>>does not really convince me that this is a real
>>threat. Can anybody help clarify it? 
>>per 734644, 
>>Several versions of the BIND 8 name server are
>>vulnerable to cache poisoning via negative responses.
>>To exploit this vulnerability, an attacker must
>>configure a name server to return authoritative
>>negative responses for a given target domain. Then,
>>the attacker must convince a victim user to query the
>>attacker's maliciously configured name server. When
>>the attacker's name server receives the query, it will
>>reply with an authoritative negative response
>>containing a large TTL (time-to-live) value. If the
>>victim's site runs a vulnerable version of BIND 8, it
>>will cache the negative response and render the target
>>domain unreachable until the TTL expires. 

In my case the attacker was my ISP!

They disconnect me once every 24 hours to prevent me from
running a server. Bind 8 is a server.

After disconnect Bind stored only begative answers. Even
when I reconnected automatically the negative answers
prevented me from reaching anybody outside my lan.

With Bind 9 the problem is gone.

>>   Assume the victim dns is ns.victim.net, the target
>>domain is xyz.com, 
>>   If I interpret this correctly, to run the attack,
>>the attacker has to do the followings:
>>   1. create and configure a dns server to server as
>>the authoritative DNS for xyz.com domain, called
>>dnsxyz.attack.com (or just a IP) - fine. 
>>   2. convince ns.victim.net to query
>>dnsxyz.attack.com for any queries for xyz.com (i.e.
>>www.xyz.com) - how? 

If I can see your server:

"dig €your_server www.xyz.com"

>>   3. dnsxyz.attack.com replies with negative
>>response with a big TTL.
>>   The problem is #2. How is it possible? Actually,
>>without preset trust, this is equivalent to say that
>>the attacker has already controlled the ns.victim.net.
>>So, why does he bother to run this attack? 
>>   I understand that birthday attack and space
>>searching can break the random query ID without
>>requiring the trust. However this CERT vulnerability
>>does not seem to rely on these techniques. 
> Well, I don't know the specifics of this particular vulnerability, but 
> maybe BIND 8 was accepting xyz.com negative cache entries in response to 
> attack.com queries, under certain circumstances...
>                                                             - Kevin

You do not need a negative answer from someboy. No answer from anybody
is a negative answer too.

If I prevent you from receiving an answer then I have got you. DOS attack
on your server will do. So will DOS attack on the nameservers. A temporary
loss of connectivity will do too.


Peter and Karin Dambier
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-6252-750308 (VOiP: sipgate.de)
+49-179-108-3978 (O2 Genion)
+1-360-226-6583-9563 (INAIC)
mail: peter at peter-dambier.de

More information about the bind-users mailing list