Re: Thoughts about DNS...

Illuminati Primus (vermont@GATE.NET)
Sun, 27 Apr 1997 00:19:23 -0400

I think a temporary solution for the denial of service case is pretty
obvious. If someone is trying to brute force an entry into your
nameserver, the nameserver will first see a few hundred replies with
incorrect ID numbers. So, all it will have to do is invalidate its last
request when it notices an attack, and log who requested the name lookup
(usually the attacker). Of course, this makes it possible to do denial of
service attacks if you can see where a nameserver is sending a request
to, but usually if they can see your network traffic youre screwed
anyway. This should be effective until a much better solution that
employs cryptography (ie. Secure DNS) is officially released..
In the meantime, I'll see if I can make a small patch to do this, unless
one of the real bind programmers beats me to it...
-Vermont Rutherfoord
vermont@gate.net
Mongoloid Programmer

PD
Although its not good to have even a small window of opportunity, what
percentage of the ID space could someone cross by fully saturating a T1
with forged DNS replies before the requesting server times out the
request? It would be good to know what type of resources an attacker
would need to make this type of attack