Possible cache poisoning

Sten Carlsen stenc at s-carlsen.dk
Tue Oct 26 18:05:42 UTC 2010


If we talk about checking after suspected poisoning, my best idea is:

dump the cache, then flush the cache and do the lookups again and
compare to the cache-dump. Any difference is suspicious and should be
looked closer upon.

The cure is BTW also to flush the cache of the fake info.

Remember that it is only the resolving server, that gets poisoned, the
authoritative server does not ask questions and can not be poisoned with
false replies.

Remember to use best practises to avoid poisoning anyway.

On 26/10/10 10:19, Matus UHLAR - fantomas wrote:
> On 25.10.10 16:39, The Doctor wrote:
>> My question is how can you detect if a DSN / Domain name
>> has been 'poisoned'?
> quitye hard if it's already been done. You can see what it contains and
> compare it with what is should contain, but you never know if the incorrect
> data didn't come from misconfigured server.
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101026/0ca1b1d9/attachment.html>


More information about the bind-users mailing list