|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS cache poisoning attacks -- are they real?
* Chris Brenton:
> In a perfect world, this might be a viable solution. The problem is
> there are far too many legitimate but "broken" name servers out there.
> On an average day I log well over 100 lame servers. If I broke this
> functionality, my helpdesk would get flooded pretty quickly with angry
> users.
Assuming BIND 9:
/*
* Is the server lame?
*/
if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
is_lame(fctx)) {
log_lame(fctx, query->addrinfo);
result = dns_adb_marklame(fctx->adb, query->addrinfo,
&fctx->domain,
now + fctx->res->lame_ttl);
if (result != ISC_R_SUCCESS)
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
"could not mark server as lame: %s",
isc_result_totext(result));
broken_server = DNS_R_LAME;
keep_trying = ISC_TRUE;
goto done;
}
So if you see something in the logs, it is already broken. 8-)
The discussion in this part of the thread focuses on flagging more
servers as lame (which are currently not detected by BIND or even
logged).
|