[dns-operations] Opened Pandora's box of Cache Poisoning
Hauke Lampe
lampe at hauke-lampe.de
Sat May 3 12:36:20 UTC 2014
Hello Tsunehiko
On 03.05.2014 08:40, T.Suzuki wrote:
> Additional page:
> http://www.e-ontap.com/dns/pandora_acjp_e/
>From the information on your site, I surmise you managed to poison the
cache of a BIND 9.9.2-P2 resolver. Can you disclose by which method you
injected the fake NS rrsets? Was DNSSEC validation disabled?
For a randomly chosen unsigned zone in ac.jp, I see named sending these
queries in the process:
To . A? www.u-tokyo.ac.jp.
To jp. A? www.u-tokyo.ac.jp. (x)
To u-tokyo.ac.jp A? www.u-tokyo.ac.jp.
To . DS? jp.
To . DS? ac.jp.
To jp. DS? ac.jp. (+)
To jp. DNSKEY? jp.
To jp. DS? u-tokyo.ac.jp.
If I understand you correctly, you successfully spoofed the response to
the second query (x), and instead of the original direct delegation
installed a fake NS rrset for ac.jp in the cache, redirecting the next
query to your own nameserver.
If DNSSEC validation is active, the DS query for ac.jp (+) would
probably break the chain as it proves the absence of the delegation.
Does that sound about right or did I miss some crucial details? (I'm
really just a DNS operator, not a computer scientist. ;)
Hauke.
More information about the dns-operations
mailing list