Re: DNS abuse

David M. Dandar (ddandar@LCARS.DYNDNS.COM)
Sat, 14 Jun 1997 16:36:28 -0400

-----BEGIN PGP SIGNED MESSAGE-----

That url, http://apostols.org/toolz/dnshack.cgi, works even with the
supposed release version of bind 8.1 (05-06-97). The culprit is a query for
DNS.test.15169.spoof.apostols.org, which returns that address as being a
CNAME for Ohhh.shit.My.DNS.server.is.vulnerable, and tacks a whole bunch of
other info into the response. All of it ends up in everyone's cache.

This is the same type of attack outlined by Johannes Erdfelt back in
April. It's nothing difficult or fancy. In about 2 minutes, I had my local
name server returning bogus information in the same genre of the test page
above. All I had to do was tell my server it was authoritative for the
domain I was spoofing.

Excuse me if I am completely wrong on this, but couldn't we just
ignore any RR's for stuff we didn't directly ask for? Just let our local
server initiate another query for Ohhh.shit.My.DNS.server.is.vulnerable.?
The remote server is not authoritative for that domain, and would never get
a chance to answer. Granted that this would increase latency and bandwidth,
but it would avoid the problem.

I certainly wouldn't mind it if everyone had servers that injected
www.enemy.org for www.microsoft.com, but microsoft might. :)

David Dandar

- --
/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\
| David M. Dandar ddandar@lcars.dyndns.com |
+-------------------------------------------------------------------+
| PGP public key available via finger from above address. |
| ddandar@erols.com ddandar@technet.tjhsst.edu dmdc00z@mail.odu.edu |
\_________________________________________________________________/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM6MAyg37tpZWSzDdAQG32gP/XPpQ1PNOLFhsLGirmR4Bcpdv+a16wci0
2BmI9PKF8rysAv1BgDRALvDv4Y2EApuPv7bX/fpdIs6KNrtk9U36MfeCsDK2iOY0
KjG2CuvbRj2Lp/1AIYV8I3F4nIbpjj33+9S9ZHQzcPlCcCHsdB9MpW+ShSuC7Bf+
weVCyjJpYlo=
=rHVh
-----END PGP SIGNATURE-----