Vulnerability to cache poisoning -- the rest of the solution

Evan Hunt Evan_Hunt at isc.org
Fri Jul 11 18:30:12 UTC 2008


> Is the "cache poisoning" poisoning of our name servers' cache or of name
> servers that our recursive queries are using for resolution of external
> sites (e.g. google.com, yahoo.com, billybob.com)?
> 
> When you say allowing recursion is the issue are you saying that in the
> sense that there is a risk from internal sabotage as there is from
> internet hackers or are you saying simply having it on for internal
> users somehow also would allow internet hackers to exploit it?
> 
> Reading your final paragraph makes it seem like you mean it is the
> latter.
> 
> Just to make sure I understand recursion:  My assumption is that this is
> necessary to do lookups for zones for which we are not authoritative
> like the examples above.   Is that correct?

Essentially, yes.  The problem is that your resolver, in going out to
get answers from authoritative servers elsewhere, is at risk of getting
a *forged* answer from a bad guy, containing bad information, and accepting
it as valid.  It would then cache the bad information, and continue passing
it out to your clients for as long as the cache persists.

If any client, inside *or* outside your network, uses your server for
recursion, then your server is a potential target for this kind of attack.
And if it hasn't been updated with the patch, the attack may well succeed.

--
Evan Hunt -- evan_hunt at isc.org
Internet Systems Consortium, Inc.


More information about the bind-users mailing list