From owner-freebsd-security Sat Mar 13 6:32:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 9188114D4F for ; Sat, 13 Mar 1999 06:32:49 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id HAA26030; Sat, 13 Mar 1999 07:32:30 -0700 (MST) Message-Id: <4.1.19990313072602.00a6b430@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sat, 13 Mar 1999 07:29:26 -0700 To: Jesse , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: bind 8.1.2 cache poisoning In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It can't be hard to poison the cache. Many daemons do reverse lookups on hosts which connect to them, presenting a perfect opportunity to send a spoofed response that gets into the cache. If the "claimed" name and the spoofed one match, they can get stuck for a very long time (just make the time to live very long on purpose). For a standard that holds the Internet together, it is amazing just how weak and awkward DNS really is. --Brett At 05:25 AM 3/13/99 -0800, Jesse wrote: > >Hi, > >I scanned my archives of freebsd-security and bugtraq and was surprised >not to find aynthing on the topic. Sorry if I'm missing something >obvious.. > >I run an IRC server that's part of a small network. Recently I noticed one >user with a very obviously fake hostname. The user started bragging to >various people about it. He said that he had inserted bogus entries into >the cache of the nameserver. > >So I checked around and found in the Jan 99 section of rootshell an >exploit which claims to insert entries into the caches of bind 8.1.2 >servers (which is what I run and as far as I can tell is the latest >version). If this is true, as it appears, I'm wondering why there's been >no discussion of this anywhere (or any fixes). Seems pretty serious if >anyone can screw with your DNS cache.. > >Hopefully there's some sort of configuration error on my part that allows >this to happen, but I think I have a pretty normal, secure setup. > >Any comments? I thought I'd check here first before writing the bind >maintainers. > >Thanks, > >--- >Jesse >http://www.lumiere.net/ > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message