> The exploit doesn't simply rely on the 16bit dns XID. > Rather, it's reliant on the fact that bind servers > (and some others) send requests from a static port. > Obviously, if you control a DNS server or you can > sniff the target DNS server's path, you can figure > this out. > > The second part to the trick is wildcarding in DNS. > I can make a large number of invalid queries to your > DNS server if it allows recursing. Each query will > be something like aaa.paypal.com, bbb.paypal.com, etc. > Obviously, because I know your source port (or can > figure it out) it's only a matter of time before I > can spoof a response. So, you'll end up with a wacky > A entry for somerand.paypal.com. The neat trick here > is that I can also attach a NS record in the spoofed > response and set the TTL very high for this entry. > Now your DNS server will query my malicious DNS server > for everything under paypal.com. > > So, yes, plan9 is vulnerable.
i don't understand this 1. plan 9 never used a static source port for queries, and more importantly 2. who does recursive queries on external interfaces? i would have considerd this a configuration error and security problem ten years ago. - erik
