lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1063815818.9706.196.camel@localhost.localdomain>
From: d.rowles at outcometechnologies.com (Dan Rowles)
Subject: Verisign abusing .COM/.NET monopoly, BIND r
	eleases new

However, wouldn't it be possible for verisign to get around the bind
patch with a 2 phase response? 

So, for example, when your DNS server queries a.gtld-servers.net for
"herhewr.com", it returns a referral to "ns0.verisign.com", and then
querying "ns0.verisign.com" for "herhewr.com" returns you the address of
the sitefinder service?

The obvious response would be to say that you could block all referrals
to "ns0.verisign.com" - but what if the server names were to be dynamic
(eg "ns0.herhewr.com" which just happens to have the same IP address as
"ns0.verisign.com")? 

Thoughts anyone?

Dan





On Wed, 2003-09-17 at 14:52, Sam Pointer wrote:
> Thor Larholm wrote:
> >For now, it is returning the same IP address, but I have no trouble
> >imagining Verisign evading DNS filters by changing the A records every
> >now and then. Any solution to prevent Verisigns greed should keep this
> >in mind.
> 
> AFAIK the BIND patch (when setup) accepts delegation RRs *only* from
> configured domains (ie. SOA and NS records) and forces any in-zone replies
> (ie A records such as the one used by Verisign in this instance) in these
> domains to be interpreted as NXDOMAIN responses (paraphrase of the ISC's
> text at http://www.isc.org/products/BIND/delegation-only.html); giving
> normal DNS behaviour.
> 
> In short: it doesn't matter what the A record changed to, if you apply and
> configure the patch and you get an A record back from a delegation only
> domain then it's discarded. What IP address is returned is immaterial, so
> moving it about is a no-go.
> 
> This is much better than any hard-coded constant or updated list of IP
> address options I've seen on various lists.
> 
> IMHO I think that this system will die a death as soon as the major BIND
> shops have time to test and implement this patch. Most do not run their own
> nameservers and when the major ISPs completely bypass this 'feature'
> Verisign will give it up as a hopeless task. That combined with the fact
> that they seem to have trouble merely keeping the boxes at the other end of
> 'sitefinder' alive.
> 
> 
> This email and any attachments are strictly confidential and are intended
> solely for the addressee. If you are not the intended recipient you must
> not disclose, forward, copy or take any action in reliance on this message
> or its attachments. If you have received this email in error please notify
> the sender as soon as possible and delete it from your computer systems.
> Any views or opinions presented are solely those of the author and do not
> necessarily reflect those of HPD Software Limited or its affiliates.
> 
>  At present the integrity of email across the internet cannot be guaranteed
> and messages sent via this medium are potentially at risk.  All liability
> is excluded to the extent permitted by law for any claims arising as a re-
> sult of the use of this medium to transmit information by or to 
> HPD Software Limited or its affiliates.
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ