Hello, I hope this isn't too off-topic, but I've been studying the Kaminsky DNS exploit and I have a question.
According to what I've read on the topic, the Kaminsky exploit hijacks a whole domain, and that you can launch the attack on a nameserver over and over. It seems to imply you can do this immediately before waiting for any TTL's to expire by using a series of random name queries, however, I don't see how that is possible, and I wonder if anyone can explain this. I fired up a recursive nameserver running bind 9.4. In another window I started running a tcpdump session listening for traffic on port 53. If I perform a query on one of my domains the first time, for nonexistant-host.mydomain.com, I can see my nameserver querying the roots, getting a referral to the auth. nameserver for mydomain.com, and then seeing the query go out to that authoritative nameserver. That makes sense. However, if I then fire off another query, for nonexistant-host2.mydomain.com, I do not see another querying going out to find the auth nameserver for mydomain.com - because it is cached in my recursive resolver. This also makes sense. But then how is it that an attacker, after he sends his first query for a non-existant host, if they aren't able to guess the transaction id to spoof a response before the real response comes in, then won't the resolver have the cached NS records for that mydomain.com stored with a TTL? I don't see how you can then launch successive queries for other non-existant hosts until the cached TTL expires for the domain server. If anyone can shed any light, I'd appreciate it. I've read several articles on this topic and it's a piece of the puzzle I've been stumped on. Thanks! - Jamie
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
