What is the issue?
A method of inserting false data into a name server has been discovered by a security researcher. This method affects recursive name servers, which are usually provided by ISPs and network operators to provide DNS service to their end users. As these types of name servers remember previous lookups in a cache, they are often called caching name servers, caching resolvers or similar.
The attack relies on the fact that an attacker can send fake DNS answers in response to a query and trick it into thinking the wrong data is correct for a given domain. The method is a specific type of cache poisoning attack. It is called cache poisoning because the server remembers the wrong answer in its cache, and then provides that wrong answer in future lookups.
While similar vulnerabilities have been discovered in the past, and have been patched in software, this attack is particularly concerning as it is far more effective. This has significantly raised the level of concern.
The cache poisoning is made much more viable, in part, by the fact that many name servers use the same source port number for every one of their DNS queries. If the source port is easy to guess, an attacker can much more reliably predict how to attack the server. One mitigation technique is to therefore use a randomised source port. This helps reduce the risk of attack, but does not solve the problem entirely.
Why is this issue critical only for some domain operators?
Domains are operated on a name server configuration known as an authoritative name server. Authoritative name servers are not vulnerable to this type of attack. However, a number of domain operators use servers that are configured both as an “authoritative name server” and as a “recursive name server”. The vulnerability in the recursive portion of the name server can infect the data of the authoritative name server, therefore making the authoritative portion vulnerable.
continue reading: http://www.iana.org/reports/2008/cross-pollination-faq.html
A method of inserting false data into a name server has been discovered by a security researcher. This method affects recursive name servers, which are usually provided by ISPs and network operators to provide DNS service to their end users. As these types of name servers remember previous lookups in a cache, they are often called caching name servers, caching resolvers or similar.
The attack relies on the fact that an attacker can send fake DNS answers in response to a query and trick it into thinking the wrong data is correct for a given domain. The method is a specific type of cache poisoning attack. It is called cache poisoning because the server remembers the wrong answer in its cache, and then provides that wrong answer in future lookups.
While similar vulnerabilities have been discovered in the past, and have been patched in software, this attack is particularly concerning as it is far more effective. This has significantly raised the level of concern.
The cache poisoning is made much more viable, in part, by the fact that many name servers use the same source port number for every one of their DNS queries. If the source port is easy to guess, an attacker can much more reliably predict how to attack the server. One mitigation technique is to therefore use a randomised source port. This helps reduce the risk of attack, but does not solve the problem entirely.
Why is this issue critical only for some domain operators?
Domains are operated on a name server configuration known as an authoritative name server. Authoritative name servers are not vulnerable to this type of attack. However, a number of domain operators use servers that are configured both as an “authoritative name server” and as a “recursive name server”. The vulnerability in the recursive portion of the name server can infect the data of the authoritative name server, therefore making the authoritative portion vulnerable.
continue reading: http://www.iana.org/reports/2008/cross-pollination-faq.html
Comments
Post a Comment