[Unbound-users] Increase RRset poisoning resistance
7v5w7go9ub0o
7v5w7go9ub0o at gmail.com
Mon Aug 11 15:03:43 UTC 2008
Please consider another newbie posting and question.
Referring to this article (Matasano):
<http://beezari.livejournal.com/141796.html>
and this article (Friedl):
<http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html#poisoning>
there seems to be two attacks of current (Kaminsky) interest:
1. "poison a single address record" attack.
This is when an attacker tries to match the qid/port of a request. This
is clearly is not an issue with unbound, which is well designed in
terms of randomness, and has first-rate test results; e.g.
<https://www.dns-oarc.net/oarc/services/porttest> )
2. "hijack the authority records" (RRset poisoning). This where the
server is sent to a bogus authority NS that is in-bailiwick with the target.
The last five paragraphs of the Matasano paper (from "5" to the end)
describe how an in-bailiwick poisoning could occur; the last few
paragraphs of the Friedl paper perhaps describe it more elegantly.
If I understand correctly, this second attack is much more likely to
succeed because it is continuous - a series of requested in-bailiwick
addresses can be sequentially increased and re-requested, resulting in
continuous queries by the recursive server.
Suggestion: That unbound incorporate additional logic to defend against
a "poisoned authority record" attack - logic in addition to its superior
port/qid randomization?
This additional logic is: that an exact match, not merely an
"in-bailiwick" match be required before unbound would accept glue/RR
record additions or updates.
It seems to me that little harm would result if unbound were instructed
to accept glue/RR records only from *exact* matches, and not from
*inexact*, but in-bailiwick authority records.
Thanks for considering this.
More information about the Unbound-users
mailing list