[dns-operations] Description of the "Kashpureff-style DNS cache corruption attack"

Peter Dambier peter at peter-dambier.de
Sun Nov 26 17:18:37 UTC 2006 

The thing I have seen is, my nameserver changed roots.

My root looks like

; <<>> DiG 9.4.0b2 <<>> -t any .
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24879
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;.                              IN      ANY

;; ANSWER SECTION:
.                       259200  IN      SOA     a-root.maxmv.org. hostmaster.maxmv.org. 2006112201 86400 10800 2592000 86400
.                       279560  IN      NS      b-root.maxmv.org.
.                       279560  IN      NS      e-root.maxmv.org.
.                       279560  IN      NS      a-root.maxmv.org.
.                       279560  IN      NS      d-root.maxmv.org.
.                       279560  IN      NS      f-root.maxmv.org.

;; ADDITIONAL SECTION:
b-root.maxmv.org.       3010    IN      A       82.199.192.254
d-root.maxmv.org.       3010    IN      A       24.129.114.64
e-root.maxmv.org.       3013    IN      A       66.92.233.14
f-root.maxmv.org.       3013    IN      A       66.92.233.130

;; Query time: 66 msec
;; SERVER: 192.168.48.227#53(192.168.48.227)
;; WHEN: Sun Nov 26 18:07:37 2006
;; MSG SIZE  rcvd: 236


Now look for a nonexisting domain

; <<>> DiG 9.4.0b2 <<>> -t any gurgleblaster. @a9.info.afilias-nst.info.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31230
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;gurgleblaster.                 IN      ANY

;; AUTHORITY SECTION:
.                       86400   IN      NS      A.ROOT-SERVERS.NET.
.                       86400   IN      NS      B.ROOT-SERVERS.NET.
.                       86400   IN      NS      C.ROOT-SERVERS.NET.
.                       86400   IN      NS      D.ROOT-SERVERS.NET.
.                       86400   IN      NS      E.ROOT-SERVERS.NET.
.                       86400   IN      NS      F.ROOT-SERVERS.NET.
.                       86400   IN      NS      G.ROOT-SERVERS.NET.
.                       86400   IN      NS      H.ROOT-SERVERS.NET.
.                       86400   IN      NS      I.ROOT-SERVERS.NET.
.                       86400   IN      NS      J.ROOT-SERVERS.NET.
.                       86400   IN      NS      K.ROOT-SERVERS.NET.
.                       86400   IN      NS      L.ROOT-SERVERS.NET.
.                       86400   IN      NS      M.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.     86400   IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     86400   IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     86400   IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     86400   IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     86400   IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     86400   IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     86400   IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     86400   IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     86400   IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     86400   IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     86400   IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     86400   IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     86400   IN      A       202.12.27.33

;; Query time: 70 msec
;; SERVER: 204.74.112.33#53(204.74.112.33)
;; WHEN: Sun Nov 26 18:11:01 2006
;; MSG SIZE  rcvd: 450


If you are very unlucky then your nameserver has changed roots.

The real attack is a little bit more elaborated but the trick is:

Ask for a domain where you control the nameservers and return
glue records for a domain you are not really authoritative for.

With djbdns you wont succeed.

With bind and slaving the domain that might be kashpureffed
you wont succeed either.

Bind 9 is a bit more paranoid - but beware, there are switches.

Kind regards
Peter and Karin


Florian Weimer wrote:
> There's this curious note on the ISC web page:
> 
> | BIND4/BIND8 Unsuitable for Forwarder Use 
> | 
> | If any nameserver, whether BIND or not is configured to use
> | forwarders, then none of those target forwarders should be running
> | BIND4 or BIND8. Upgrade all nameservers used as forwarders to
> | BIND9. There is a current, wide scale Kashpureff-style DNS cache
> | corruption attack which depends on BIND4 and BIND8 as forwarders
> | targets.
> 
> It seems that other sources are somewhat reluctant to name a software
> bug after a convicted felon, so it's kind of hard to find the
> technical details. CERT/CC advisory CA-1997-22 seems to deal with this
> bug, but is a bit short on the technical side as well.
> 
> I'm interested in this issue because I wand to deploy BIND 9 in
> forward-only mode, and I don't know what kind of software the
> forwarders are running.  I can't imagine how this bug can be triggered
> in forward-only mode, but I want to make sure that I'm not missing
> anything.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations


-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher-Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/

More information about the dns-operations mailing list