Vulnerability to cache poisoning -- the rest of the solution

Jeff Lightner jlightner at water.com
Fri Jul 11 17:21:17 UTC 2008 

Thanks.

Forgive me for being dense but I'm trying to understand.  

Is the "cache poisoning" poisoning of our name servers' cache or of name
servers that our recursive queries are using for resolution of external
sites (e.g. google.com, yahoo.com, billybob.com)?

When you say allowing recursion is the issue are you saying that in the
sense that there is a risk from internal sabotage as there is from
internet hackers or are you saying simply having it on for internal
users somehow also would allow internet hackers to exploit it?

Reading your final paragraph makes it seem like you mean it is the
latter.

Just to make sure I understand recursion:  My assumption is that this is
necessary to do lookups for zones for which we are not authoritative
like the examples above.   Is that correct?

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Alan Clegg
Sent: Friday, July 11, 2008 12:44 PM
To: bind-users at isc.org
Subject: Re: Vulnerability to cache poisoning -- the rest of the
solution

Jeff Lightner wrote:
> I had thought turning off cache queries to external lookups was
> sufficient.   Are you saying this is needed in addition or that cache
> query disabling had nothing to do with the cache poisoning?

If your server is authoritative only, it is not at risk.  If it is
recursive, it is at risk.

It's not allowing queries from outside your network that puts you at
risk, it's doing recursion on behalf of others (internal or external)
that opens you to the vulnerability.

If you recurse, install new code and don't limit your queries to a
single port.

> Also as to the randomization - is this only for outbound responses?
The
> initial query would have to come on port 53 where named listens or are
> you saying that it somehow listens on random ports as well?

This randomization is of queries being sent out from recursive servers
on behalf of the system that sent the query with the recursion desired
"RD" bit set.

All DNS queries will have a destination of port 53.  You just don't want
all of the queries to have the same SOURCE port.

AlanC
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list