[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.BSF.4.58.0403041400430.29849@f00dikator.lampe.com>
From: jwlampe at nessus.org (John Lampe)
Subject: [Plugins-writers] recursive DNS issue
I think another risk might be the ability to bounce DoS attacks through
someone else's network. So, if I want to blast the widgets.com webserver,
I find it's IP and start spoofing DNS UDP queries from the widgets.com
webserver's IP to the DNS recursive server. If I choose the right domain
to 'resolve', I might get a 3:1 or 4:1 return on my packet sizes (i.e. I send
50 or 60 bytes and, depending on the return record, may get 200 bytes sent
to the attacked host)...Now, what if the recursive server is used to
bounce an attack into a competitor of the company owning the recursive
server? So, if SodaBrand_X starts sending massive amounts of DNS reply
data to their competitor, SodaBrand_Y...and SodaBrand_Z can play both
sides against the middle :-)
John Lampe
jwlampe -at- nessus.org
http://f00dikator.aceryder.com/
On Thu, 4 Mar 2004, Paul Johnston wrote:
> Hi,
>
> I think there are three potential risks, none of them particularly major.
>
> 1) Information leakage
> If an attacker issues non-recursive queries against the server, they can
> see what domains have been looked up, and also infer when from the TTL.
> In fact even if you disable recursion they may still be able to do this.
> For BIND I advocate denying all queries at the top of the config file,
> and then specifically allowing queries for each authorative zone.
>
> 2) Unauthorized use of resources
> People can hijack you as a free resolver. This is unlikely to be much of
> a problem in reality. Personally I always know a few open resolvers, so
> I've got backup nameservers if the local ones are down.
>
> 3) Potential cache poisoning
> This is more a theoretical risk than anything. All the easy cache
> poisoning attacks (ID prediction, birthday, etc.) are vulnerabilities in
> specific versions of software. Better servers like DJB or BIND 9
> randomize both the transaction ID and the UDP source port, giving an
> attacker about 2^26 space to brute force (and no handy shortcuts). This
> is scarcely easier than brute forcing a TCP connection.
>
> Regards,
>
> Paul
>
>
> omifix omnifix wrote:
>
> >Hi all
> >
> >can anybody explain me what the problem is when my
> >external DNS server supports recursive DNS queries?
> >
> >People are telling me that a DNS server is prone to
> >cache poisoning when recursive DNS queries are
> >supported.
> >
> >
> --
> Paul Johnston
> Internet Security Specialist
> Westpoint Limited
> Albion Wharf, 19 Albion Street,
> Manchester, M1 5LN
> England
> Tel: +44 (0)161 237 1028
> Fax: +44 (0)161 237 1031
> email: paul@...tpoint.ltd.uk
> web: www.westpoint.ltd.uk
>
>
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@...t.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
>
Powered by blists - more mailing lists