North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: how to protect name servers against cache corruption
On Wed, Jul 30, 1997 at 04:38:59AM -0000, [email protected] wrote: > >itself, and I'm inclined to believe him when he says there are no more > >trivial fixes. If you know of one, why don't you share it? I'm not > > Fair enough. > > Here's a simple piece of input. If BIND 8.1.1 receives a DNS query > response with an invalid query ID, it logs it and drops the packet. > However, the invalid query ID is evidence of an attack in progress. Why > doesn't BIND parse the packet, find out what question is being answered, > and immediately re-issue the query with a different ID? If a copy of BIND _receives_ a query, decides it's bogus, logs it, and drops it, then a question isn't _being_ answered, it's bing _asked_. Why _would_ BIND re-issue a query. it hadn't _issued_ that query in the first place. Or, in simpler terms, "huh"? > In other words, it's possible for BIND to detect that it is under attack > (in a response-forged query-ID guessing situation). BIND doesn't do > anything about this. Why? This isn't so much a security bug, but more a lack of a security-enhancing feature. It _certainly_ doesn't merit the veiled character assination you've been using it to justify. > Just the simplest suggestion I can come up with (without having this go > into multiple pages) to convey the idea that I am trying to be > constructive here. You've failed. > I'm not sure this is the appropriate forum for this discussion > (*copout*Ididn'tstartthisthread*copout*), but if you want further details > as to my harebrained suggestions, I'm happy to give them! Time to move this to bind-workers, no? Perry, Paul? Cheers, -- jra -- Jay R. Ashworth [email protected] Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
|