On Wed, 23 Jul 2008, Kevin Day wrote:
The new way is slightly more sneaky. You get the victim to try to resolve an otherwise invalid and uncached hostname like 00001.gmail.com, and try to beat the real response with spoofed replies. Except this time your reply comes with an additional record containing the IP for www.gmail.com to the one you want to redirect it to. If you win the race and the victim accepts your spoof for 00001.gmail.com, it will also accept (and overwrite any cached value) for your additional record for www.gmail.com as well.
RFC 2181 says the resolver should not overwrite authoritative data with additional data in this manner. I believe the Matasano description is wrong. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ FORTIES CROMARTY FORTH TYNE DOGGER: EAST OR SOUTHEAST 3 OR 4, INCREASING 5 OR 6 LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.