Comments on: DNS Updates – The cat, a now empty bag, and poison http://ddos.arbornetworks.com/2008/07/dns-updates-the-cat-a-now-empty-bag-and-poison/ A weblog dedicated to educating the community on security threats that matter Sun, 29 Jan 2012 02:23:23 +0000 hourly 1 http://wordpress.org/?v= By: Mark Adams http://ddos.arbornetworks.com/2008/07/dns-updates-the-cat-a-now-empty-bag-and-poison/comment-page-1/#comment-148189 Mark Adams Sun, 27 Jul 2008 16:45:02 +0000 http://asert.arbornetworks.com/?p=273#comment-148189 I really thought that this was going to be an exploit that targeted non-public recursive nameservers as well. Tom Ptacek had suggested that perhaps cross site scripting combined with a typical poison attack was making even private nameservers susceptible to controlled queries by the attacker. I thought I'd read that this would even affect private recursive caching nameservers behind firewalls. That doesn't appear to be the case. The exploit posted still requires queries sent directly to the nameserver, and although this is frightening because so many blindly use public DNS nameservers, it's not going to affect those who were already smart enough not to blindly trust some anonymous third party's idea of DNS. It's always been a fundamental security practice not to use DNS servers that you don't trust. Unfortunately most Internet users simply use their ISPs nameservers, even though no privacy policy is provided and no security even hinted at. This is why my brother and I started ifirefly.com earlier this year. I'm still hoping that more information is released at Black Hat that we haven't seen. Otherwise, like you said, it's an interesting new attack methodology, but it's not a new vulnerability, or a bug that Kaminski found. I really thought that this was going to be an exploit that targeted non-public recursive nameservers as well. Tom Ptacek had suggested that perhaps cross site scripting combined with a typical poison attack was making even private nameservers susceptible to controlled queries by the attacker. I thought I’d read that this would even affect private recursive caching nameservers behind firewalls.

That doesn’t appear to be the case. The exploit posted still requires queries sent directly to the nameserver, and although this is frightening because so many blindly use public DNS nameservers, it’s not going to affect those who were already smart enough not to blindly trust some anonymous third party’s idea of DNS. It’s always been a fundamental security practice not to use DNS servers that you don’t trust. Unfortunately most Internet users simply use their ISPs nameservers, even though no privacy policy is provided and no security even hinted at. This is why my brother and I started ifirefly.com earlier this year.

I’m still hoping that more information is released at Black Hat that we haven’t seen. Otherwise, like you said, it’s an interesting new attack methodology, but it’s not a new vulnerability, or a bug that Kaminski found.

]]>