poison the DNS cache by returning a bogus IP as a CNAME for a real server
You can poison DNS cache by returning a bogus IP as a CNAME for a real server.
Johannes Erdfelt outlined this type of attack originally.
Almost all current DNS servers, including bind 8.1 and M$ DNS
14 June 1997 (It was actually discovered in April, apparently)
-----BEGIN PGP SIGNED MESSAGE-----
That url, http://apostols.org/toolz/dnshack.cgi, works even with the
supposed release version of bind 8.1 (05-06-97). The culprit is a query for
DNS.test.15169.spoof.apostols.org, which returns that address as being a
CNAME for Ohhh.shit.My.DNS.server.is.vulnerable, and tacks a whole bunch of
other info into the response. All of it ends up in everyone's cache.
This is the same type of attack outlined by Johannes Erdfelt back in
April. It's nothing difficult or fancy. In about 2 minutes, I had my local
name server returning bogus information in the same genre of the test page
above. All I had to do was tell my server it was authoritative for the
domain I was spoofing.
Excuse me if I am completely wrong on this, but couldn't we just
ignore any RR's for stuff we didn't directly ask for? Just let our local
server initiate another query for Ohhh.shit.My.DNS.server.is.vulnerable.?
The remote server is not authoritative for that domain, and would never get
a chance to answer. Granted that this would increase latency and bandwidth,
but it would avoid the problem.
I certainly wouldn't mind it if everyone had servers that injected
www.enemy.org for www.microsoft.com, but microsoft might. :)
| David M. Dandar firstname.lastname@example.org |
| PGP public key available via finger from above address. |
| email@example.com firstname.lastname@example.org email@example.com |
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: