lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 19 Apr 2007 01:25:01 +1200
From: "Bojan Zdrnja" <bojan.zdrnja@...il.com>
To: "Roger A. Grimes" <roger@...neretcs.com>
Cc: "Makoto Shiotsuki" <shio@...rim.or.jp>, bugtraq@...urityfocus.com
Subject: Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing

Hi Roger,

On 4/18/07, Roger A. Grimes <roger@...neretcs.com> wrote:
> How does BIND stop this sort of attack?
>
> Can a BIND expert respond?

I'm not a BIND expert but I can (hopefully) tell you what's happening.
Basically, Windows 2000 <SP3 automatically accepts all authority RRs
(authoritative name servers) that are received in a DNS reply.

So, if you have a DNS server running on Windows 2000 SP3 which is
available from the Internet, and which supports recursive requests,
all an attacker has to do is to issue a DNS request to your server,
for a domain (and a DNS server) that he controls.
Attacker's DNS server can add several authority RRs (they define
authoritative nameservers) for TLDs, such as .com or .net and will
effectively pollute your DNS cache.

This can be fixed by applying SP4 or changing a registry item.
However, it was later found that Windows 2000 DNS servers were still
vulnerable if they were configured to forward DNS requests to another
DNS server.
So, the typical setup in most organization is:

Windows DNS -> forwarding to BIND

If you have BIND < v9, it will retrieve the reply but will not strip
out authority RRs. BIND will send this back to the Windows DNS server
which will happily cache everything, trusting BIND.

In BIND v9 this was fixed because it will delete this (extra) data
before sending the reply back to the Windows DNS server (that's why
it's very important to upgrade your DNS servers to BIND v9).

I'm not sure what's the story with other DNS servers (djbdns, for example).

Cheers,

Bojan

Powered by blists - more mailing lists