DNS Games

Summary
Description:Some games you can play with resolvers (if you control a DNS server) Phillip Jaenke shows some examples.
Author:"Phillip R. Jaenke" <prj@NLS.NET>
Compromise:Trick resolvers
Vulnerable Systems:Those with flaky resolvers (like gethostbyname()) (I guess). It is a wierd sort of problem.
Date:6 October 1997
Details


Date: Mon, 6 Oct 1997 12:52:27 -0400
From: "Phillip R. Jaenke" <prj@NLS.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Flaw in DNS

    [The following text is in the "ISO-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]

This is a fun little flaw, and it applies to all daemons. Even NT's
pseudo-daemon.

gw: {1} % nslookup 207.206.37.250
Server:  gw.pcimporters.com
Address:  207.206.76.1

Name:    127.0.0.1
Address:  207.206.37.250

Believe it or not, this WILL resolve on most systems. 207.206.37.250 is my
routed IP reserved for the other machines I have here. So, basically, I can
hop on IRC as root@127.0.0.1. Doesn't do much, except for vanity.

Now, think carefully about this. What happens if I do something like this?:

gw: {1} % nslookup 207.206.37.250
Server:  gw.pcimporters.com
Address:  207.206.76.1

Name:    192.168.1.1
Address:  207.206.37.250

With a former coworker, we've seen that this WILL resolve 99% of the time.
It will also cause various maladies. Hop on IRC, it tries to send an identd
request to the resolved host. It gets an unreachable.

Ping the box. If it resolves, and tries to reply to the resolved address...
well, let's just say it could be quite painful.

And it's dangerously easy to implement. Just add an A record for your IP
that points to another. There's various ways you can do it to cause
problems.

Unroutable IPs
Localhost IPs
ARPA's (ie; 250.37.206.207.in-addr.arpa)
Invalid Names (ie; nice.try)

-Phillip R. Jaenke  [InterNIC Handle: PRJ5]  (prj@nls.net)
MIS Department, PC Importers, Inc. 800.319.9284, x4262
"Why do you pay tax on Spam? It's a non-food product!"

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault