Bind9 and Cache Poisoning problems

Brad Knowles brad at stop.mail-abuse.org
Mon Sep 12 22:13:29 UTC 2005


At 5:37 PM -0400 2005-09-12, Kevin Darcy wrote:

>                       Spoofed responses are, between nodes with an
>  existing trust relationship, preventable using shared-key
>  authentication, i.e. TSIG, but won't really be solvable on a large scale
>  until DNSSEC is widely implemented.

	Spoofed responses depend on things like managing to find a 
collision for the {sender port, recipient port, id} tuple, and then 
just spewing enough data that you can be reasonably sure that you get 
at least one hit reasonably fast.  If you can collapse that search 
space, you can get your hits much faster.

	Older versions of BIND would be predictable in their query-id, so 
you could send them a query, see what they're currently sitting at, 
then take that as the baseline of your guessing, and even if they're 
a high-volume site, you can still be reasonably assured that your 
guess is pretty close.

	Even BIND-9.3.1 allows you to collapse one of the tuples, by 
always accepting responses sent back to port 53, even if the query 
didn't originate from port 53.  So it's still subject to spoofed 
responses in that way.


	Of course, if you split your authoritative-only and 
recursive/caching services onto separate machines (or at least 
separate instances), then the authoritative-only server/service 
cannot be compromised.  You can then apply additional firewall state 
filtering techniques, so even if BIND would have accepted any 
response matching the recipient port and query-id that was sent to 
port 53, the firewall won't let that packet through, so BIND would 
never see it.

	Host level firewalling is a good way to achieve this, as an 
additional layer of security on top of the network-layer firewalls.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the bind-users mailing list