[AusNOG] DNS Cache Poisoning Vulnerability
Kim Davies
kim at cynosure.com.au
Fri Aug 8 07:52:21 EST 2008
Hi folks,
A number of you have likely heard about this already, but just in case
not, this is a fairly serious issue that deserves a few minutes of
attention.
Recently, it was discovered that the amount of entropy in DNS queries is
relatively low in typical DNS software implementations, making the
ability to spoof answers a fairly trivial exercise that can take as
little as a second. This can be used to poison DNS caches, and
ultimately introduce false data into the DNS.
This is important on two distinctly different fronts:
1) Recursive name servers should have the maximum amount of entropy
to provide the strongest resistance to spoofed DNS responses. This won't
solve the problem, but helps mitigate the risk. There are
patches for BIND etc. now available to randomise the source port of
queries to aid this. To test a recursive name server you can use
the tool at
https://www.dns-oarc.net/oarc/services/dnsentropy
2) For domain registrants, the authoritative name server for your
domain can be affected if they also offer recursive name service.
The effects of cache poisoning can therefore introduce false
data into your zone. To test for vulnerable servers, there is a
new tool at
http://recursive.iana.org/
The solution to this problem is to separate recursive and
authoritative name service from one another.
There is also an FAQ, focused on part 2, at
http://www.iana.org/reports/2008/cross-pollination-faq.html
cheers,
kim
More information about the AusNOG
mailing list