Possible DNS cache poisoning attack
Kevin Darcy
kcd at chrysler.com
Thu Oct 30 02:05:17 UTC 2008
Don't attribute to malice that which can be explained by stupidity.
My guess is that Facebook botched a nameserver migration, such that
their apex NS records were pointing to unreachable nameservers. That
would make you unable to resolve the zone until the cache was
purged/flushed at which point you'd be able to resolve it via the
delegation records, you'd cache the bad NS records, and the cycle would
start all over again...
- Kevin
Rob Tanner wrote:
> Or, at least that's what it looks like.
> Last nigh (Oct 28) we were barraged by thousands of emails with a return
> path of facebookmail.com. Our MTA checks the return path of each
> incoming message so as to reject anything that can't be replied to.
> That, of course, requires a DNS lookup but every attempt to lookup
> facebookmail.com timed out and when I flushed the cache, it would
> resolve for a short while and then hang again until a again flushed my
> cache. This effectively brought both of my email edge servers to their
> knees as all the SMTP connections were tied up while the server was
> waiting on DNS.
>
> I upgraded back in July when the major security bug was discovered and
> my name servers all run BIND 9.5.0-P1. I know there were a couple of
> Windows specific updates since then which I ignored because I'm running
> on Linux. Is that version otherwise at risk and do I need to update for
> security reasons?
>
> Thanks,
> Rob
>
>
>
>
>
>
>
More information about the bind-users
mailing list