North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations

  • From: Peter & Karin Dambier
  • Date: Mon Apr 18 16:11:51 2005

> Is it possible to "prevent" poisoning attacks?  Is it beneficial, or
> even possible, to prevent TTL's from being an excessively high value?
> -- 
> Jason 'XenoPhage' Frisvold

Preventing poisoning attacks:

I guess most attacks are against windows workstations.

1) Hide them behind a NAT-router. If they cannot see them, they cannot
attack them.

2) Have your own DSN-server, root-server, authoritative server, cache.

You can have your own root-server: and
as well as allow cloning. Just run your Bind 9 as a slave
for "." . An authoritative server cannot be poisoned. Only resolvers can. 

When you have sensitive addresses put them into your /etc/hosts or clone
their zone. Again Bind 9 allows it. Do their servers? 

Get the zone file via ftp or email. Authoritative servers cannot be

Have your own cache behind the NAT-router. If they cannot see you they
cannot poison you.

There is one exception from the rule:

You browse "www.bad.guy". The have a namesever "ns1.bad.guy" that returns
something like

;; ANSWER SECTION:      86268   IN      A

Then your cache will be in the "" .

But remember - an authoritative DNS-server cannot be poisoned.

Peter Dambier

Peter und Karin Dambier 
Graeffstrasse 14 
D-64646 Heppenheim 
+49-6252-671788 (Telekom) 
+49-6252-599091 (O2 Genion) 
+49-6252-750308 (Sipgate VoIP)