Daily Dave (dailydave) Mailing List

Re: DNS Speculation

Thu, 24 Jul 2008 06:26:44 +0200

Posted by Cedric Blancher on Jul 24

Le jeudi 24 juillet 2008 à 01:26 +0200, ninjaboy a écrit :
> http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

Not what I am talking about. Adding pwned.doxpara.com to a cache is fun,
but not that interesting after all. I am talking about overwriting
domain NS record into targeted cache....

Re: Speculation

Wed, 23 Jul 2008 21:17:31 -0700

Posted by Alexander Sotirov on Jul 23

On Tue, Jul 22, 2008 at 10:05:23PM -0400, dan_at_geer.org wrote:
> mmaiffret_at_inveniosecurity.com writes
> -+---------------------------------
> | Really it is a sad reminder that the current state of
> | the art when it comes to security and the resiliency
> | of...

Re: DNS Speculation

Thu, 24 Jul 2008 01:26:19 +0200

Posted by ninjaboy on Jul 24

2008/7/23 Cedric Blancher <blancher_at_cartel-securite.fr>:
> Le mardi 22 juillet 2008 à 02:42 -0700, Alexander Sotirov a écrit :
>> Spoofing a A record:
>> Right before step 7, the attacker sends a spoofed response from ns.google.com
>> that includes an A...

DNS Speculation

Wed, 23 Jul 2008 11:47:53 -0400

Posted by Joseph Patterson on Jul 23

So, now I've taken a good hard look at what someone claims is a mirror
of a post that may or may not explain the whole DNS issue. Based on
that obviously perfectly reliable information, all I can say is "whee".
Actually, no, that's not all I can say.

First off, DNS is...

Re: DNS Speculation

Wed, 23 Jul 2008 11:08:58 -0400

Posted by Tyler Krpata on Jul 23

On Tue, Jul 22, 2008 at 9:15 PM, Petja van der Lek <lek_at_xs4all.nl> wrote:
>
> If it does, then this would obviously be an Extremely Bad thing, since
> an attacker could just poison a resolver anytime, anyplace, anywhere. If
> it doesn't overwrite the cached entry, I...

Re: DNS Speculation

Wed, 23 Jul 2008 13:22:45 +0200

Posted by Cedric Blancher on Jul 23

Le mardi 22 juillet 2008 à 02:42 -0700, Alexander Sotirov a écrit :
> Spoofing a A record:
> Right before step 7, the attacker sends a spoofed response from ns.google.com
> that includes an A record for www.google.com and points it to 1.2.3.4 (which is
> an attacker controlled...

Re: DNS Speculation

Tue, 22 Jul 2008 23:00:55 -0700

Posted by Blue Boar on Jul 22

Tetrapodal Giant wrote:
> Since there really has been a fair amount of warning on this/these
> issue(s), I'm curious why it took so long to actually implement a fix.

Recall the earlier thread, about whether pen testers should have to
produce a working exploit, or whether the advisee...

Re: DNS Speculation

Tue, 22 Jul 2008 19:22:46 -0700

Posted by Dominique Brezinski on Jul 22

On Tue, Jul 22, 2008 at 10:27 AM, natron <shiftnato_at_gmail.com> wrote:
> I assume that mucking with ns.google.com's ability to update
> *.google.com records on the fly would probably negatively impact large
> organizations current DNS architectures, where they probably...

Re: Speculation

Tue, 22 Jul 2008 22:05:23 -0400

Posted by dan_at_geer.org on Jul 22

mmaiffret_at_inveniosecurity.com writes
-+---------------------------------
| Really it is a sad reminder that the current state of
| the art when it comes to security and the resiliency
| of our systems has a lot to do with making sure the
| good guys only talk...

Re: DNS Speculation

Wed, 23 Jul 2008 03:15:58 +0200

Posted by Petja van der Lek on Jul 23

In an effort to move beyond the "guess the bug" stage a bit, and
thinking more about detection and mitigation, I'm trying to gauge
whether this vulnerability is Really Bad™ or Extremely Bad™. In
particular, whether ye olde caching resolver will overwrite an RR
already in the cache...

Re: DNS Speculation

Tue, 22 Jul 2008 14:52:56 -0500

Posted by Tetrapodal Giant on Jul 22

Hi All -

On 7/22/08, Parity <pty.err_at_gmail.com> wrote:

> >From DJB's notes:

I'm a huge nobody at this smarty party, but I'm bothered by a few
aspects of this whole issue.

Since there really has been a fair amount of warning on this/these
issue(s), I'm curious why it took...

Re: DNS Speculation

Tue, 22 Jul 2008 13:54:29 -0400

Posted by Tyler Krpata on Jul 22

>
> I've been trying to understand the attack, but I am not sure that I really get
> it. It looks like the only way it would work is if the DNS resolvers accept
> records they didn't ask for. Do they? If they do, why?
>

They do, for "in-bailiwick" records.

...

Re: DNS Speculation

Tue, 22 Jul 2008 12:27:09 -0500

Posted by natron on Jul 22

Additionally, there's no A record in the invalid response, but there
are A records if it's a valid response. Consider the output from
www.google.com:

;; AUTHORITY SECTION:
l.google.com. 56129 IN NS e.l.google.com.
l.google.com. 56129 IN NS...

Re: DNS Speculation

Tue, 22 Jul 2008 12:18:12 -0500

Posted by natron on Jul 22

In your scenario, the root servers would have more control over the
*.google.com domain than google.com would, correct? You are proposing
that the client/resolving DNS server cache the root server's response
and not let ns.google.com overwrite the entry. As a general
discussion of trust, it...

Re: DNS Speculation

Tue, 22 Jul 2008 10:17:35 -0700

Posted by Dominique Brezinski on Jul 22

On Tue, Jul 22, 2008 at 9:55 AM, Alexander Sotirov <alex_at_sotirov.net> wrote:
> Alright, so then my question is why would the resolver accept the additional RR
> record for ns.google.com? It didn't ask for ns.google.com, it should just ignore
> the extra RR. The only...