[aklug] Re: DNS Exploit (fwd)

From: James Zuelow <e5z8652@zuelow.net>
Date: Fri Jul 11 2008 - 07:03:12 AKDT

On Friday 11 July 2008 02:54:03 am bryanm@acsalaska.net wrote:
> On Thu, July 10, 2008 10:41 am, Arthur Corliss wrote:
> > Your boxed router is typically using an upstream DNS server. If your ISP
> > hasn't updated, you're vulnerable by proxy. If, however, it runs a true
> > caching DNS then you're not vulnerable since it'll be talking to
> > authoritative DNS servers only.
>
> I'm a little confused. Presumably most home users get their
> name resolution from their ISP's DNS servers. Doesn't that
> make them vulnerable?
>

I think any actual attack like this would have to be very targeted. To attack
an ISP's DNS servers an attacker would have to determine what port the ISP's
DNS severs were making requests on, sniff the request ID, and then insert
their replies into data the ISP's DNS servers are expecting back. AND
account for multiple ISP DNS servers, AND account for a BIND daemon
restarting and changing ports.

Maybe I'm betraying my non-1337 status (1 5ux0rz! ) but that seems non trivial
to me.

James
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jul 11 07:03:27 2008

This archive was generated by hypermail 2.1.8 : Fri Jul 11 2008 - 07:03:27 AKDT