|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS cache poisoning attacks -- are they real?
* Simon Waters: >> This is _nothing_ to do with what you're running on the recursive >> nameserver. It is doing _exactly_ what it is supposed to do. Get >> answers, store in cache, respond to queries from cache if TTL isn't >> expired. > > The answers from a recursive servers won't be marked authoritative (AA bit not > set), and so correct behaviour is to discard (BIND will log a lame server > message as well by default) these records. Unfortunately, this is not quite true. Brad and Chris are right. I couldn't believe it either, but after a long stare at BIND's is_lame function, I have to agree with them. BIND accepts non-authoritative answers if their additional section looks a bit like a referral. I don't tink that this check is deliberately lax, but stricter checks are simply harder to do on this particular code path. > If your recursive resolver doesn't discard these records, suggest > you get one that works ;) Which one would? Keep in mind that referrals do not have the AA bit set, so a simple filter wouldn't work.
|