Vagner Sacramento writes:
> BIND versions 4 and 8 use procedures that allow a remote DNS Spoofing
> attack against DNS servers.
Nonsense. All DNS caches will accept forged packets. See
http://cr.yp.to/djbdns/forgery.html
for an analysis of the cost of a forgery.
Yes, the cost of a blind forgery depends quite noticeably on the
software---it's larger for dnscache (djbdns) than for BIND 9 thanks to
BIND's port reuse, and larger for BIND 9 than for older versions of BIND
thanks to this ``vulnerability,'' which has been known for years---but
thinking that software can protect you from forged DNS packets with the
current DNS protocol is like thinking that shorts and a T-shirt will
protect you from the winter wind in Chicago.
Furthermore, the recommendation to limit recursion, while certainly a
good idea, doesn't make a big difference in the cost unless you also
clamp down on all the programs that act as DNS-query-tunneling tools:
SMTP servers, web browsers, etc.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
> BIND versions 4 and 8 use procedures that allow a remote DNS Spoofing
> attack against DNS servers.
Nonsense. All DNS caches will accept forged packets. See
http://cr.yp.to/djbdns/forgery.html
for an analysis of the cost of a forgery.
Yes, the cost of a blind forgery depends quite noticeably on the
software---it's larger for dnscache (djbdns) than for BIND 9 thanks to
BIND's port reuse, and larger for BIND 9 than for older versions of BIND
thanks to this ``vulnerability,'' which has been known for years---but
thinking that software can protect you from forged DNS packets with the
current DNS protocol is like thinking that shorts and a T-shirt will
protect you from the winter wind in Chicago.
Furthermore, the recommendation to limit recursion, while certainly a
good idea, doesn't make a big difference in the cost unless you also
clamp down on all the programs that act as DNS-query-tunneling tools:
SMTP servers, web browsers, etc.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
[ reply ]