lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <40475B53.4070503@westpoint.ltd.uk>
From: paul at westpoint.ltd.uk (Paul Johnston)
Subject: [Plugins-writers] recursive DNS issue

Hi,

I think there are three potential risks, none of them particularly major.

1) Information leakage
If an attacker issues non-recursive queries against the server, they can 
see what domains have been looked up, and also infer when from the TTL. 
In fact even if you disable recursion they may still be able to do this. 
For BIND I advocate denying all queries at the top of the config file, 
and then specifically allowing queries for each authorative zone.

2) Unauthorized use of resources
People can hijack you as a free resolver. This is unlikely to be much of 
a problem in reality. Personally I always know a few open resolvers, so 
I've got backup nameservers if the local ones are down.

3) Potential cache poisoning
This is more a theoretical risk than anything. All the easy cache 
poisoning attacks (ID prediction, birthday, etc.) are vulnerabilities in 
specific versions of software. Better servers like DJB or BIND 9 
randomize both the transaction ID and the UDP source port, giving an 
attacker about 2^26 space to brute force (and no handy shortcuts). This 
is scarcely easier than brute forcing a TCP connection.

Regards,

Paul


omifix omnifix wrote:

>Hi all
>
>can anybody explain me what the problem is when my
>external DNS server supports recursive DNS queries?
>
>People are telling me that a DNS server is prone to
>cache poisoning when recursive DNS queries are
>supported.
>  
>
-- 
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@...tpoint.ltd.uk
web: www.westpoint.ltd.uk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ