Help Understanding Cache Poisoining

Barry Margolin barmar at
Tue Nov 28 03:06:16 UTC 2006

In article <ekas3n$2ala$1 at>,
 "Will" <westes-usc at noemail.nospam> wrote:

> But the question was *how* does that poisoining happen?    I see how a
> hacker can do a denial of service attack, but not how they can get the
> resolver to enter in bad values.

Often cache poisoning requires the resolver to look up names in a 
particular domain that's legitimately delegated to the poisoner's 
servers.  The response to that query contains the "poison" data that 
gets entered into the cache.

With a closed recursive server, you have to get one of the ISP's 
customers to try to look up this domain -- maybe infect him with a 
virus, use a domain that's a misspelling of a common domain, send him 
spam with a link to your domain, etc.

But with an open server, all you have to do is send a query to the 

Barry Margolin, barmar at
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list