North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED

  • From: Gadi Evron
  • Date: Thu Jul 24 11:25:01 2008
On Thu, 24 Jul 2008, John Kristoff wrote: 
On Thu, 24 Jul 2008 10:06:25 +0100
Simon Waters <[email protected]> wrote:

I checked last night, and noticed TLD servers for .VA and .MUSEUM are
still offering recursion amongst a load of less popular top level
domains.

Indeed just under 10% of the authoritative name servers mentioned in
the root zone file still offer recursion.


While not ideal, at least most resolvers will not go asking those
servers for anything other than what they are authoritative for unless
an attacker for some reason wanted to setup a long chain of poisons. The
large, shared caching servers and all those open CPE devices are a
much larger concern I think.

Indeed--you won't hear arguments from me on other threats, especially not CPE devices which I fought to bring recognition to.

But sticking to the point, TLD servers should (under most circumstances) be recursive. Thing is, those that are, are likely to stay that way.

I personally know several folks from within and wayyy from outside the DNS world who discovered this very out there and obvious issue and worked hard to try and contact the operators. Those that haven't fixed it yet, likely won't if all thing remain even.

Others I am not aware of likely did the same, withs imilar results. I guess we could try again.

Gadi.