North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS cache poisoning attacks -- are they real?
* Brad Knowles: > It only takes a little while to figure out that domains can be > fake-hosted using open caching recursive resolvers. Someone creates > a domain with very small TTLs for the real authoritative servers. > Within the zone, they do lame delegations to a lot of known public > caching recursive servers, with much longer TTLs. > > The lame delegators do what they think is their duty to serve the > data they are requested for, and they are the ones who effectively > serve that data to the world. In fact, the real IP addresses of the > authoritative servers could be changed every five minutes, with the > new policies and procedures in place from NetSol. I doubt this will work on a large scale. At least recent BIND resolvers would discard replies from the abused caching resolvers because they lack the AA bit, so only clients using the resolvers as actual resolvers are affected. You can more easily seed open resolvers, sure, but with a reasonably sized botnet, you can do the same thing with closed ones.