On Monday, 2005-04-18 at 22:08 ZE2, "Peter & Karin Dambier" <peter@peter-dambier.de> wrote:
Preventing poisoning attacks:
I guess most attacks are against windows workstations.
I'm not sure what you mean by this. Cache poisoning applies to machines that are doing caching. It can affect any machine that depends on that cache.
1) Hide them behind a NAT-router. If they cannot see them, they cannot attack them.
I certainly hope that this would not help. I hope that caching machines will not simply take a packet from a random address and source port 53 and use it to update their cache. I hope that the source address, source port, and destination port, at least, are checked to correspond to an outstanding dns query. If those all match, the packet will very likely get through a nat router. In other words, the nat router provides no protection from this attack at all. Why? Because it's an attack based on traffic that the natted machine has initiated.
2) Have your own DSN-server, root-server, authoritative server, cache.
You can have your own root-server: b.root-servers.net and c.root-servers.net as well as f.root-servers.net allow cloning. Just run your Bind 9 as a slave for "." . An authoritative server cannot be poisoned. Only resolvers can.
Certainly authoritative servers can be poisoned, but not for the domains that they're authoritative for. Running your own root only provides protection for the root zone. If I make a query for www.badguy.com and the auth. server for badguy.com returns an answer for www.yahoo.com in the additional data, if I cache it, I'm likely poisoned. That can happen even if I'm auth. for root. Tony Rall