North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
DNS cache poisoning attacks -- are they real?
ISC SANS has recently disclosed yet another suspected DNS cache poisoning attack. I reach a different conclusion. based on publicly available data. Maybe there is unpublished information which suggests a different view. Unofficial name servers which pose as authoritative for well-known zones have been around for ages. An astonishingly large number is officially authoritative for (at least somewhat) frequented zones, and from time to time, your resolvers receive authority sections containing leaked unofficial data. I noticed this unfortunate fact back in July 2004, when I looked more closely at DNS packet captures for debugging purposes. Even in my limited sample, the number leaking name servers was so high that systematically contacting their operators and convincing them to change their configurations seemed unfeasible (and many of them were located in regions which are not exactly known for their cooperative spirit when it comes to such matters). Today, I looked again at a few unofficial servers. Quite a few of them are operated by apparently respectable organizations with an AS number etc. (definitely not the backyard servers behind a cable modem I would expect in an attack). It is hard to tell if the more shady ones legitimately redirect customer traffic, and unintentionally leak these records to the general Internet, or attempt an actual attack. (I'm not sure how to tell them apart at the protocol level. Maybe I'm missing something.) Many of the unofficial records have been unchanged for quite some (i.e. predating the current "pharming" craze). Even the DNS cache poisoning case described in the ISC diary could be the unwanted consequence of an oversimplified DNS configuration (wildcard RRs for *.com instead of a proper DNS zone). Are any ISPs actually willing to disconnect customer name servers which serve unofficial zones? I don't believe that many ISPs would try to exercise this much control over the packets their customers send. Furthermore, there are apparently some reasons for running such servers which generally are considered legitimate. Should we monitor for evidence of hijacks (unofficial NS and SOA records are good indicators)? Should we actively scan for authoritative name servers which return unofficial data? I don't think this makes sense, even if we could strongly discourage the practice. Right now, I suspect that many people rediscovered the relative weakness of the domain name system and started looking for anomalies, and that's why we see an increasing number of reports -- not because of an increasing number of actual attacks.