Re: z/OS BIND9 DNS Vulnerable to Cache Poisoning Attack Problem?
- From: Eric Chevalier <etech@xxxxxxxxxxxxxxxx>
- Date: Mon, 04 Aug 2008 16:33:03 -0500
On 4 Aug 2008 13:58:04 -0700,
edjaffe@xxxxxxxxxxxxxxxxxxx (Edward Jaffe) wrote:
52% of servers being tested at Kaminsky's site --
http://www.doxpara.com/ -- are still vulnerable. (This includes my home
broadband ISP cox.net. :-( )
Kaminsky alleges that "far more than 52% of [DNS] servers are vulnerable".
It appears that Kaminsky's test protocol is to send some number of DNS
queries to a target name server, and then see how many *different*
source ports come back in the response packets. Where that number is
small (or worst-case, always the same), the protocol assumes a
vulnerable name server.
However, if Kaminsky's protocol is not *also* checking to see whether
the response was recursive, his numbers might overstate the percentage
of servers that are actually vulnerable. A name server that does not
cache (a completely non-recursive server, for example) is not
vulnerable to cache-poisoning attacks, even though it might always
send responses on the same source port.
My comments are not meant to minize the overall seriousness of cache
poisoning vulnerability.
Eric
--
Eric Chevalier E-mail: etech@xxxxxxxxxxxxxxxx
Web: www.tulsagrammer.com
Is that call really worth your child's life? HANG UP AND DRIVE!
.
- References:
- Re: z/OS BIND9 DNS Vulnerable to Cache Poisoning Attack Problem?
- From: Ed Finnell
- Re: z/OS BIND9 DNS Vulnerable to Cache Poisoning Attack Problem?
- From: Edward Jaffe
- Re: z/OS BIND9 DNS Vulnerable to Cache Poisoning Attack Problem?
- Prev by Date: Re: INLINE JCL PROC Question
- Next by Date: NOMAIL Option in TSO/E
- Previous by thread: Re: z/OS BIND9 DNS Vulnerable to Cache Poisoning Attack Problem?
- Next by thread: Re: z/OS BIND9 DNS Vulnerable to Cache Poisoning Attack Problem?
- Index(es):
Relevant Pages
|
Loading
