Reg : DNS Cache poisoning

Kevin Darcy kcd at daimlerchrysler.com
Tue Sep 18 22:57:35 UTC 2007 

What you're attempting -- including data for one zone in the zonefile of 
another zone -- is an obvious violation of the RFCs and BIND has 
rejected it for a long time. The only thing that's changed between the 
various versions of BIND 8 and BIND 9 in this regard, is whether BIND 
believes/trusts/caches records it *receives* from other sources, under 
certain circumstances. If you want to *generate* malicious 
cache-poisoning records in DNS responses, you'll need to use some other 
package, or write your own code...

                                                                         
                     - Kevin

Sudheer Bysani wrote:
> Hi,
> I'm in the process of developing a lab for Security Education 
> (http://www.cis.syr.edu/~wedu/seed/index.html) and require some help on 
> conducting DNS Cache Poisoning attacks.
>
> Pharming Guide (http://www.ngssoftware.com/papers/ThePharmingGuide.pdf) 
> explains DNS Cache poisoning attack, where in the attacker name server 
> includes the additional (faked) resolution records (of other websites) 
> apart from what its actually asked for.
>
> I'm wondering how exactly to do this. I know this issue has been fixed 
> in Bind 9. I was trying the same in 8.4.6, but still unsuccessful.
>
> This is my SOA for the same:
>
> @ IN SOA ns1.example.com. admin.example.com. (
>         2007031001
>         28800
>         3600
>         604800
>         38400
>         )
>
> example.com. IN NS ns1.example.com.
> example.com. IN NS *ns2.someweb.com.*
> example.com. IN MX 10 mail.example.com.
>
> ns1 IN A 192.168.1.1
> *ns2.someweb.com. IN A 192.168.1.2*
>
>
> Now, if I try to dig www.example.com, it shows ns2.someweb.com as one of 
> the name servers, but it actually resolves the IP address of 
> ns2.someweb.com if it actually exists.
>
> How do I make the bind resolve ns2.someweb.com to the IP address I 
> mention ?
>
> Is it actually possible to send fake resolution records for the domain 
> which the name server doesn't represent ?
>
> Any help is appreciated.
>
>
> Thanks
> Sudheer
>
>
>
>
>
>
>
>
>

More information about the bind-users mailing list