Re: CAIS-ALERT: Vulnerability in the sending requests control of BIND

From: D. J. Bernstein (djb@cr.yp.to)
Date: 11/27/02

  • Next message: dong-h0un U: "Remote Multiple Buffer Overflow(s) vulnerability in Libcgi-tuxbr." 
    Date: 27 Nov 2002 22:20:05 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
To: bugtraq@securityfocus.com

    Vagner Sacramento writes:
    > BIND versions 4 and 8 use procedures that allow a remote DNS Spoofing
    > attack against DNS servers.

    Nonsense. All DNS caches will accept forged packets. See

       http://cr.yp.to/djbdns/forgery.html

    for an analysis of the cost of a forgery.

    Yes, the cost of a blind forgery depends quite noticeably on the
    software---it's larger for dnscache (djbdns) than for BIND 9 thanks to
    BIND's port reuse, and larger for BIND 9 than for older versions of BIND
    thanks to this ``vulnerability,'' which has been known for years---but
    thinking that software can protect you from forged DNS packets with the
    current DNS protocol is like thinking that shorts and a T-shirt will
    protect you from the winter wind in Chicago.

    Furthermore, the recommendation to limit recursion, while certainly a
    good idea, doesn't make a big difference in the cost unless you also
    clamp down on all the programs that act as DNS-query-tunneling tools:
    SMTP servers, web browsers, etc.

    ---D. J. Bernstein, Associate Professor, Department of Mathematics,
    Statistics, and Computer Science, University of Illinois at Chicago

    Relevant Pages

    • Re: AD & Bind Configuration
      ... WSUS and MOM well nothing but errors due to DNS, so I changed my AD to ... secondaries so bind would talk to them, and now I getting GC errors. ... folks are reluctant on adding any AD record types, I was reviewing some docs ... >> 2 of them are DNS servers that get the records from Bind, ...
      (microsoft.public.windows.server.dns)
    • Re: Forwarders and DNS
      ... > run an old version of BIND for our DNS. ... > DNS domain name, for example, company.edu. ... > to these two DNS servers. ... > I know one option we have is to keep the clients pointed to these DNS ...
      (microsoft.public.windows.server.dns)
    • Re: Advice - solution for a company server
      ... For an AD domain there is no advantage in cost to use Bind and it would ... Windows DNS, particularly ... for Windows 2003, has shown to be very robust. ... Bind can not use Active ...
      (microsoft.public.security)
    • [NEWS] BIND 9 DNS Cache Poisoning
      ... BIND 9 DNS Cache Poisoning ... source UDP port and DNS transaction ID can be effectively predicted. ... address of the target name server), and the destination UDP port (53 the ...
      (Securiteam)
    • Re: Strange DNS request
      ... Currently our primary DNS servers are using BIND 8.3.3. ... AD PCs are in another subordinate zone. ...
      (AIX-L)