odd behavior in bind-8.2.2_P3 (fwd) - "illegitimate COM server" - more
Ted_Rule at flextech.co.uk
Ted_Rule at flextech.co.uk
Wed Sep 6 09:12:34 UTC 2000
A little more digging shows up a potential hole which this rogue server may be
trying
to exploit.
Amongst all the other bits on MYIFRIENDSNS1.WEBPOWER.COM's copy of the COM
domain
is this record:
www.erosrouge 10S IN A 204.180.135.105
However, it is to be noted that no records exist for the erosrouge.com level
itself....
Meanwhile on the root-servers, we have a delegation:
EROSROUGE.COM. 2D IN NS MYIFRIENDSNS1.WEBPOWER.COM
It should also be noted that are several dozen other domains which appear to be
similarly
configured in this way, it's not just erosrouge.com where the problem lies.
As a consequence, when one dig's for the webserver on the root-server, you get:
$ dig @a.root-servers.net www.erosrouge.com a +norecurse
; <<>> DiG 8.2 <<>> @a.root-servers.net www.erosrouge.com a +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28441
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; www.erosrouge.com, type = A, class = IN
;; AUTHORITY SECTION:
EROSROUGE.COM. 2D IN NS MYIFRIENDSNS1.WEBPOWER.COM.
EROSROUGE.COM. 2D IN NS MYIFRIENDSNS2.WEBPOWER.COM.
;; ADDITIONAL SECTION:
MYIFRIENDSNS1.WEBPOWER.COM. 2D IN A 204.180.135.105
MYIFRIENDSNS2.WEBPOWER.COM. 2D IN A 207.76.82.105
;; Total query time: 166 msec
;; FROM: intranot.flextech.co.uk to SERVER: a.root-servers.net 198.41.0.4
;; WHEN: Wed Sep 6 10:01:20 2000
;; MSG SIZE sent: 35 rcvd: 145
When one then follows this delegation, the following suspect reply results:
[itadmin at intranot named]$ dig @myifriendsns1.webpower.com www.erosrouge.com a
+norecurse
; <<>> DiG 8.2 <<>> @myifriendsns1.webpower.com www.erosrouge.com a +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65177
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; www.erosrouge.com, type = A, class = IN
;; ANSWER SECTION:
www.erosrouge.com. 10S IN A 204.180.135.105
;; AUTHORITY SECTION:
com. 1D IN NS myifriendsns1.webpower.com.
;; Total query time: 138 msec
;; FROM: intranot.flextech.co.uk to SERVER: myifriendsns1.webpower.com 204.180.
135.105
;; WHEN: Wed Sep 6 10:02:28 2000
;; MSG SIZE sent: 35 rcvd: 91
And if your name server caches that NS record, you are dead in the water.
Meanwhile.... in bind-8.2.2-P5/src/bin/named/ns_resp.c .... I believe this bit
of code:
......
if (i < arfirst) {
/* Authority section. */
switch (type) {
case T_NS:
case T_SOA:
if (!ns_samedomain(aname, name)) {
ns_info(ns_log_resp_checks,
"bad referral (%s !< %s)",
aname[0] ? aname : ".",
name[0] ? name : ".");
db_freedata(dp);
continue;
} else if (!ns_samedomain(name,
qp->q_domain)) {
if (!externalcname)
ns_info(ns_log_resp_checks,
"bad referral (%s !< %s)",
name[0] ? name : ".",
qp->q_domain[0] ?
qp->q_domain : ".");
db_freedata(dp);
continue;
}
if (type == T_NS) {
nscount++;
add_related_additional(tname);
tname = NULL;
}
if (type == T_SOA) {
soacount++;
}
break;
......
is supposed to trap the illegal NS record in the Authority section, preventing
it from being added to
the database, which thereby should make any bind-8.2.2 users invulnerable to the
problem.
I tried following the code contortions to decide whether it would trap the above
suspect reply, but I
couldn't completely make up my mind - and I have yet to find a sacrificial bind
server to try it on.
Can anyone enlighten us as to whether this potential hole is correctly blocked
by the latest bind
servers?
Ted
***************************************************************************************************
This E-mail message, including any attachments, is intended only for the person
or entity to which it is addressed, and may contain confidential information.
If you are not the intended recipient, any review, retransmission, disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the author and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the views
and opinions of FLEXTECH Television Limited.
***************************************************************************************************
More information about the bind-workers
mailing list