DNS Attacks

Les Mikesell lesmikesell at gmail.com
Fri Jul 25 18:40:49 UTC 2008 

James Kosin wrote:

>>
>> If you are really paranoid (or about to do large transactions on what 
>> you hope is your banking site), you could do a 'whois' lookup for the 
>> target domain to find their own name servers and send a query directly 
>> there for the target site.
>>
>>> The best approach, would probably be a system to allow you to poll a 
>>> few DNS
>>> servers, and to take the returned ip address that comes back from the 
>>> most
>>> of them as the "correct" ip address!! but this isn't implemented 
>>> anywhere as
>>> far as i know....
>>
>> dig @dns_server target_name
>> will send a query to a specified DNS resolver.  Most public-facing 
>> servers will only resolve the names of their own zones, especially 
>> now.  I think the current vulnerability only involves cached addresses 
>> for which the server is not primary or secondary.
>>
> BUT, here is the really BAD news:
> a)  99.9% of the internet is really a cached service.  The only true DNS 
> entries are on the name servers that originated the DNS entry.  This is 
> why when you put up a new domain they suggest waiting about 3-4 days for 
> the internet to propagate the DNS names.  The information trickles down 
> the DNS servers until everyone has the corrected information or update.

The only real delay when adding something new is getting the registered 
servers for a domain into the root servers.  These should be the ones 
listed in the whois lookup.  There is a time-to-live associated with the 
addresses, so existing names may linger with the wrong addresses, though.

> b)  If the DNS is corrupted you can't rely on the DNS resolver to be 
> pointing to the correct IP.!!  You could be digging on the phishing site 
> and they would be reporting false and bad information to you so they can 
> scam you of your passwords and/or money.

They'd have to spoof several things at once to keep it from being 
obvious but you are right, the whois result will give names that you 
have to look up somehow.

-- 
   Les Mikesell
    lesmikesell at gmail.com

More information about the users mailing list