FYI...DNS cache poisoning
Last Updated: 2011-06-27 19:19:08 UTC - "... teaching this week at (a) University... we were victims of a DNS cache poisoning attack
. Since the network admin was not at his office because class was in the night, there was nothing I could do but wait for the DNS cache to expire.How this attack works and How we can protect ourselves
The DNS process works as follows to resolve ip address from a fully qualified domain name (FQDN):
• Client sends a query to the internal DNS looking for an ip address for a machine name.
• Internal DNS server performs recursion and if it's not present in the cache looks for the IP address on the internet from the authoritative nameserver of the domain.
• The authoritative nameserver answers the IP address requested.
• The Internal DNS server answers the IP address to the client.The attack works as follows
• Attacker queries the target DNS server for a FQDN not present in the cache.
• Target DNS server performs recursion
and looks for the IP address on the internet from the authoritative nameserver of the domain.
• Attacker floods the target DNS server with fake responses for the query
• Target DNS server updates the cache and begins serving the fake ip address
every time the FQDN is requested.How do we protect ourselves from the attack?
• Use the last version of your DNS server (I really like BIND*) as it randomizes the source port of your queries.
• Do not allow recursion from outside of your network. Allow it only from your corporate network computers.
• Use DNSSEC
. The root servers support it since July 15 2010 and the protocol allows to authenticate valid records from domains zones.
...For those of you using a Windows DNS server, the source port randomization is built-in to Windows 2008 R2's DNS server and other versions that have 'Security Update MS08-037' applied."
* http://www.isc.org/software/bindTest My DNS