I don't think that this is the exploit that they are talking about. What you say is too simple and requires too much to achieve (do it the right time when a request is asked and quicker than the intended DNS server).
On Wed, Jul 9, 2008 at 12:01 PM, Alexander Lopez <[EMAIL PROTECTED]> wrote: > Snip > > On Wed, Jul 9, 2008 at 10:50 AM, C F <[EMAIL PROTECTED]> wrote: > > Very interesting article. I guess we won't know much more for another few > weeks: > http://www.breitbart.com/article.php?id=080709124916.zxdxcmkx&show_article=1 > > I thought this was common knowledge. I remember hearing about the flaw > around 2000 or so. > > Thanks, > Steve T > > Knowledge yes, but common, I don't think so. Cache Poisoning has been > around since before 2000. > > > > A properly designed DNS server with the right amount of randomness in its > request would be a difficult target. The attack exploits the fact that many > sequential packets had sequential numbers do that it was easy to send a > malformed packet back as a response to a query. > > > > It works like this: > > > > Badman requests the address for www.digium.com from a name server, the > server does not have it in its cache or it has expired. Name server requests > the information from its forwarders, or the root domain. Badman sends a > packet with the address of the forwarder or root domain server forged with > an incremented sequence number. The name server thinks that it is a valid > response and adds it to its cache… the Cache is poisoned… > > > > Clearing the cache, would clean out the poison entry, and unless the Badman > was able to guess the precise time your name server was to request the > information, your server should get the correct entry. > > > > Ever since Windows 2003, Bind 9.0+, and all versions of TinyDNS have random > numbers been used for the sequence in the packet. There is always a brute > force attack that can be done, to simply overwhelm the DNS server and > possibly 'guess' the next sequence number but that would be time consuming, > and most intrusion detection systems will pick it up as a DOS or DDOS attack > and start to shut down access. > > > > Best solution is to use a trusted DNS server, don't have your master DNS > server (the one that resolves your domain for the rest of the world) set to > do recursive lookups, and as I do. Hide your DNS server behind a NAT'ed > firewall that randomizes outgoing ports and sequence numbers. > > > > > > Alex > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > AstriCon 2008 - September 22 - 25 Phoenix, Arizona > Register Now: http://www.astricon.net > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users