North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations

  • From: Peter & Karin Dambier
  • Date: Mon Apr 18 16:11:51 2005

> Is it possible to "prevent" poisoning attacks?  Is it beneficial, or
> even possible, to prevent TTL's from being an excessively high value?
> 
> -- 
> Jason 'XenoPhage' Frisvold
> XenoPhage0@gmail.com
> 

Preventing poisoning attacks:

I guess most attacks are against windows workstations.

1) Hide them behind a NAT-router. If they cannot see them, they cannot
attack them.

2) Have your own DSN-server, root-server, authoritative server, cache.

You can have your own root-server: b.root-servers.net and c.root-servers.net
as well as f.root-servers.net allow cloning. Just run your Bind 9 as a slave
for "." . An authoritative server cannot be poisoned. Only resolvers can. 

When you have sensitive addresses put them into your /etc/hosts or clone
their zone. Again Bind 9 allows it. Do their servers? 

Get the zone file via ftp or email. Authoritative servers cannot be
poisoned.

Have your own cache behind the NAT-router. If they cannot see you they
cannot poison you.

There is one exception from the rule:

You browse "www.bad.guy". The have a namesever "ns1.bad.guy" that returns
something like

;; ANSWER SECTION:
a.root-servers.net.      86268   IN      A       205.189.71.2

Then your cache will be in the "Public-Root.net" .

But remember - an authoritative DNS-server cannot be poisoned.

Regards,
Peter Dambier

-- 
Peter und Karin Dambier 
Graeffstrasse 14 
D-64646 Heppenheim 
+49-6252-671788 (Telekom) 
+49-6252-599091 (O2 Genion) 
+49-6252-750308 (Sipgate VoIP)
peter@peter-dambier.de 
www.peter-dambier.de
peter-dambier.site.voila.fr