[dns-operations] Description of the "Kashpureff-style DNS cache corruption attack"

Paul Vixie paul at vix.com
Sun Nov 26 21:18:14 UTC 2006

> I'm interested in this issue because I wand to deploy BIND 9 in forward-only
> mode, and I don't know what kind of software the forwarders are running.  I
> can't imagine how this bug can be triggered in forward-only mode, but I want
> to make sure that I'm not missing anything.

if you forward through a server that doesn't do any cache-pollution prevention
then you will not have any way to apply rules such as "don't cache/reuse this
additional data since it's not being supplied by a server who i think of as
authoritative for the zone of the owner-name".  all you can do is hope that
the server you're forwarding through has done that kind of work for you.  in
the case of BIND8, there's a hole in the anti-pollution logic, such that the
pollution-containing response will be forwarded to the requestor unmodified,
and only BIND8's own cache will be protected from the pollution.  this means
you don't have to worry about regenerated pollution from the BIND8 cache, but
you do have to worry about any response that results from a BIND8 cache miss.

i'm told that some/all versions of the microsoft recursive name server suffer
from the same problem.  and of course most BIND4 servers suffer from not only
this problem but the original problem of being willing to cache the pollution
and reuse it.  BIND9 and PowerDNS are fully regenerative, a requestor never
hears anything that came from a remote authority server, every response is
generated from the cache, and the cache is protected from pollution.

More information about the dns-operations mailing list