North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS cache poisoning attacks -- are they real?
* Brad Knowles: > At 12:09 AM +0200 2005-03-28, Florian Weimer wrote: > >> I doubt this will work on a large scale. > > It's already been done on a large scale. > >> At least recent BIND >> resolvers would discard replies from the abused caching resolvers >> because they lack the AA bit, so only clients using the resolvers as >> actual resolvers are affected. > > Incorrect. Indeed. > The resolver requiring that the AA bit be set would prohibit anyone > from forwarding queries to another server, which might be answering > from cache. Would you point me to such a configuration? I don't think it will work reliably for this purpose because BIND 9 only waives the requirement for the AA bit if the authority section of the response remotely looks like a referral. I doubt that this is the case if you simply redirect to a cache.