Re: Exploit for DNS Cache Poisoning - RELEASED

• From: Tony Finch
• Date: Thu Jul 24 08:21:29 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Wed, 23 Jul 2008, Kevin Day wrote:
>
> The new way is slightly more sneaky. You get the victim to try to
> resolve an otherwise invalid and uncached hostname like 00001.gmail.com,
> and try to beat the real response with spoofed replies. Except this time
> your reply comes with an additional record containing the IP for
> www.gmail.com to the one you want to redirect it to. If you win the race
> and the victim accepts your spoof for 00001.gmail.com, it will also
> accept (and overwrite any cached value) for your additional record for
> www.gmail.com as well.

RFC 2181 says the resolver should not overwrite authoritative data with
additional data in this manner.

I believe the Matasano description is wrong.

Tony.
-- 
f.anthony.n.finch  <[email protected]>  http://dotat.at/
FORTIES CROMARTY FORTH TYNE DOGGER: EAST OR SOUTHEAST 3 OR 4, INCREASING 5 OR
6 LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.

• References:
  • Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco
  • Re: Exploit for DNS Cache Poisoning - RELEASED Kevin Day

• Prev by Date: Re: Exploit for DNS Cache Poisoning - RELEASED
• Next by Date: RE: XO contact
• Date Index
• Thread Index
• Author Index
• Historical