[nsp-sec] dns issues?
Florian Weimer
fweimer at bfk.de
Fri Feb 27 05:40:15 EST 2009
* Mike Lewinski:
> Perhaps these issues are all unrelated, but my spider sense is
> starting to tingle...
I haven't seen increased cache-miss traffic.
Recently, a cache poisoning vulnerability in tinydns/dnscache (the
Bernstein resolver) has been disclosed. Maybe this has renewed
interest incache poisoning attacks, which would initially be
pereceived as denial-of-service attacks. But this is pure
speculation.
> 1) Last week we had a customer start complaining about periodic
> timeouts on one of our resolvers. I'm still investigating it, but it
> seems to have resolved itself without any changes here. What is really
> strange is that in my packet captures I can see BIND do the full
> recursion that is requested, but it simply never sends a reply back to
> the customer's original query while answering other queries at the
> same time without a problem (and they are using a nagios test to
> lookup their own www A record).
It might be interesting to look at packet captures/traces. Something
like this can happen if the stub resolver picks an unlucky source port
(such as 1434/UDP). More speculation. 8-/
> 2) Yesterday another customer discovered his own resolver cache was
> poisoned, and his access to some web sites was being proxied through
> vipertheripper.com
Have you been able to figure out how the cache was poisoned?
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list