[Previous] [Next] [Index]
[Thread]
Re: _DNS_ security problems
>1) In the bind-4.9.3 (beta something) distribution, in the file
>SunSecurity, it is mentioned that:
>
>--------------------------------------------------------------------
>The C library shipped with SunOS 4.1.3 (and perhaps earlier and later
>versions) has some added "security code" inside of gethostbyaddr().
>This code consists of doing a gethostbyname() on the result of a
>gethostbyaddr(), and then checking to see if one of the addresses
>returned by gethostbyname() matches the original argument to
>gethostbyaddr(). In other words, it checks to see that a host has both
>a PTR record, and a matching A record.
Yes. This is excellent practice. (And, as I indicated before, is
exactly what TCP Wrappers does manually.)
>...naturally, one cannot assume this is true for all gethostbyaddr()'s,
>but this sets a good precedent.
Yes. I agree, though I'd prefer to see this code in some new
function 'gethostbyaddr_definitely()' or something.
>I'm not convinced that such
>functionality belongs in gethostbyaddr(), but I do believe there should
>at least be a function (if there isn't already, I don't work with this
>stuff frequently) in the standard bind distribution, that does precisely
>this (independent of your chosen #ifdef's).
Yes, I agree. However, note that Java wasn't calling gethostbyaddr()
but rather gethostbyname(), as far as I can tell. But you could
imagine a similar modification to gethostbyname().
>2) Additionally, (and perhaps more importantly) purdue-thesis.ps, in
>that same distribution, discusses advertising bogus PTR's, in addition
>to bogus A's. The mechanisms of such advertising is discussed in a
>somewhat hand-waving manner. From pages 42 and 43:
[Description of how to spoof PTR records deleted]
Yep. This is only one of a number of ways to spoof DNS. I indicated
that this was possible in my original message. In fact, if you remember,
I said
'[As I'll discuss later, however, spoofing could be used
to defeat the obvious defense against this attack.]'
and ...
'Now, a real spoofing attack can be used to defeat this. The attacker
would forge the reply for the reverse lookup for 4.5.6.7 and return
attacker.com. DNS security is intended to prevent this from happening.'
-Ekr
Follow-Ups: