Is it possible to "prevent" poisoning attacks? Is it beneficial, or even possible, to prevent TTL's from being an excessively high value?
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com
Preventing poisoning attacks: I guess most attacks are against windows workstations. 1) Hide them behind a NAT-router. If they cannot see them, they cannot attack them. 2) Have your own DSN-server, root-server, authoritative server, cache. You can have your own root-server: b.root-servers.net and c.root-servers.net as well as f.root-servers.net allow cloning. Just run your Bind 9 as a slave for "." . An authoritative server cannot be poisoned. Only resolvers can. When you have sensitive addresses put them into your /etc/hosts or clone their zone. Again Bind 9 allows it. Do their servers? Get the zone file via ftp or email. Authoritative servers cannot be poisoned. Have your own cache behind the NAT-router. If they cannot see you they cannot poison you. There is one exception from the rule: You browse "www.bad.guy". The have a namesever "ns1.bad.guy" that returns something like ;; ANSWER SECTION: a.root-servers.net. 86268 IN A 205.189.71.2 Then your cache will be in the "Public-Root.net" . But remember - an authoritative DNS-server cannot be poisoned. Regards, Peter Dambier -- Peter und Karin Dambier Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-6252-599091 (O2 Genion) +49-6252-750308 (Sipgate VoIP) peter@peter-dambier.de www.peter-dambier.de peter-dambier.site.voila.fr