tqbf@smtp.enteract.com writes:
In article <19970730001246.22933@netmonger.net>, you wrote:
_details_. Paul has written papers on DNS security, along with BIND itself, and I'm inclined to believe him when he says there are no more trivial fixes. If you know of one, why don't you share it? I'm not
Fair enough.
Here's a simple piece of input. If BIND 8.1.1 receives a DNS query response with an invalid query ID, it logs it and drops the packet. However, the invalid query ID is evidence of an attack in progress. Why doesn't BIND parse the packet, find out what question is being answered, and immediately re-issue the query with a different ID?
Oh, beautiful. I'd love a tool like that -- it would give me a way of forcing copies of BIND that had been rigged not to accept arbitrary outside queries to make queries of my choice. Were I a systems cracker, I would love such a tool. I can think of some other mean hacks I could do with that facility, too. The problem is not a lack of "clever hacks". The problem is a lack of security in the DNS protocols without DNSSEC.
In other words, it's possible for BIND to detect that it is under attack (in a response-forged query-ID guessing situation). BIND doesn't do anything about this. Why?
Because the idea isn't very intelligent? Because not everyone on earth is an idiot and stuff like this has been considered before by other people and rejected because it wasn't a brilliant idea?
Just the simplest suggestion I can come up with (without having this go into multiple pages) to convey the idea that I am trying to be constructive here.
No, what you are, Mr. Ptacek, is someone none of us have ever heard of who is coming in like a bull in a china shop informing us that although the people who build and maintain things like BIND aren't very bright, you are out there willing to save us. Thanks, but no thanks. Perry