DNS Games

Date: Mon, 6 Oct 1997 12:52:27 -0400
From: "Phillip R. Jaenke" <prj@NLS.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Flaw in DNS

    [The following text is in the "ISO-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]

This is a fun little flaw, and it applies to all daemons. Even NT's
pseudo-daemon.

gw: {1} % nslookup 207.206.37.250
Server:  gw.pcimporters.com
Address:  207.206.76.1

Name:    127.0.0.1
Address:  207.206.37.250

Believe it or not, this WILL resolve on most systems. 207.206.37.250 is my
routed IP reserved for the other machines I have here. So, basically, I can
hop on IRC as root@127.0.0.1. Doesn't do much, except for vanity.

Now, think carefully about this. What happens if I do something like this?:

gw: {1} % nslookup 207.206.37.250
Server:  gw.pcimporters.com
Address:  207.206.76.1

Name:    192.168.1.1
Address:  207.206.37.250

With a former coworker, we've seen that this WILL resolve 99% of the time.
It will also cause various maladies. Hop on IRC, it tries to send an identd
request to the resolved host. It gets an unreachable.

Ping the box. If it resolves, and tries to reply to the resolved address...
well, let's just say it could be quite painful.

And it's dangerously easy to implement. Just add an A record for your IP
that points to another. There's various ways you can do it to cause
problems.

Unroutable IPs
Localhost IPs
ARPA's (ie; 250.37.206.207.in-addr.arpa)
Invalid Names (ie; nice.try)

-Phillip R. Jaenke  [InterNIC Handle: PRJ5]  (prj@nls.net)
MIS Department, PC Importers, Inc. 800.319.9284, x4262
"Why do you pay tax on Spam? It's a non-food product!"