Re: Help Understanding Cache Poisoining

2 msg	how do I force a zone transfer
13 msg	named.conf cannot be changed
1 msg	how to Build RBL using bind9 ?
17 msg	BIND 9.3.2 and temp box.
2 msg	BIND9 CNAME format
2 msg	rate of update queries?
5 msg	bind 9.4 srcrpm / spec file for centos 4x
3 msg	Multi-Master and NOTIFY
3 msg	9.4.0b4 problems
3 msg	Web Interface for BIND9
4 msg	pop email issue
4 msg	BLACKHOLE-1.IANA.ORG quit responding?
1 msg	Documentation of forwarding behaviour ?
2 msg	DNSSEC
12 msg	How to reduce the number of IP address returned...
2 msg	Many un-resolved domains
8 msg	Reverse DNS not working for new server
6 msg	On-line nslookup?
14 msg	Accuracy of DNSStuff reports

Help Understanding Cache Poisoining
\ Will (25 Nov 2006)
. \ Peter Dambier (25 Nov 2006)
. \ Will (26 Nov 2006)
. \ Barry Margolin (28 Nov 2006)

Subject:	Re: Help Understanding Cache Poisoining
Group:	Bind-users
From:	Barry Margolin
Date:	28 Nov 2006

In article <ekas3n$2ala$1>,
"Will" <westes-usc> wrote:

> But the question was *how* does that poisoining happen? I see how a
> hacker can do a denial of service attack, but not how they can get the
> resolver to enter in bad values.

Often cache poisoning requires the resolver to look up names in a
particular domain that's legitimately delegated to the poisoner's
servers. The response to that query contains the "poison" data that
gets entered into the cache.

With a closed recursive server, you have to get one of the ISP's
customers to try to look up this domain -- maybe infect him with a
virus, use a domain that's a misspelling of a common domain, send him
spam with a link to your domain, etc.

But with an open server, all you have to do is send a query to the
server.

--
Barry Margolin, barmar
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***