[dns-operations] Opened Pandora's box of Cache Poisoning

Hauke Lampe lampe at hauke-lampe.de
Sat May 3 12:36:20 UTC 2014

Hello Tsunehiko

On 03.05.2014 08:40, T.Suzuki wrote:

> Additional page:
> http://www.e-ontap.com/dns/pandora_acjp_e/

>From the information on your site, I surmise you managed to poison the
cache of a BIND 9.9.2-P2 resolver. Can you disclose by which method you
injected the fake NS rrsets? Was DNSSEC validation disabled?

For a randomly chosen unsigned zone in ac.jp, I see named sending these
queries in the process:

To .             A? www.u-tokyo.ac.jp.
To jp.           A? www.u-tokyo.ac.jp. (x)
To u-tokyo.ac.jp A? www.u-tokyo.ac.jp.
To .             DS? jp.
To .             DS? ac.jp.
To jp.           DS? ac.jp. (+)
To jp.           DNSKEY? jp.
To jp.           DS? u-tokyo.ac.jp.

If I understand you correctly, you successfully spoofed the response to
the second query (x), and instead of the original direct delegation
installed a fake NS rrset for ac.jp in the cache, redirecting the next
query to your own nameserver.

If DNSSEC validation is active, the DS query for ac.jp (+) would
probably break the chain as it proves the absence of the delegation.

Does that sound about right or did I miss some crucial details? (I'm
really just a DNS operator, not a computer scientist. ;)


More information about the dns-operations mailing list