Re: DNS cache poisoning attacks -- are they real?
* Brad Knowles:
At 12:09 AM +0200 2005-03-28, Florian Weimer wrote:
I doubt this will work on a large scale.
It's already been done on a large scale.
At least recent BIND resolvers would discard replies from the abused caching resolvers because they lack the AA bit, so only clients using the resolvers as actual resolvers are affected.
Incorrect.
Indeed.
The resolver requiring that the AA bit be set would prohibit anyone from forwarding queries to another server, which might be answering from cache.
Would you point me to such a configuration? I don't think it will work reliably for this purpose because BIND 9 only waives the requirement for the AA bit if the authority section of the response remotely looks like a referral. I doubt that this is the case if you simply redirect to a cache.
participants (1)
-
Florian Weimer