## page was renamed from DNS/毒盛/Kaminsky講演/Tony Finch の疑問 ## page was renamed from DNS/キャッシュサーバ毒盛/Kaminsky講演/Tony Finch の疑問 ## page was renamed from DNS/キャッシュサーバ毒盛/Kaminsky型攻撃/Tony Finch の疑問 ## page was renamed from DNS/キャッシュサーバ毒盛/Kaminskyの攻撃手法/Tony Finch の疑問 ## page was renamed from DNS/Kaminskyの攻撃手法/Tony Finch の疑問 Describe DNS/Kaminskyの攻撃手法/Tony Finch の疑問 here. == Kaminskyの攻撃手法/Tony Finch の疑問 == 疑問をもつことは奨励されるべきだ。 [http://fanf.livejournal.com/91801.html Tony Finch - Kaminsky] {{{ I've now read Dan Kaminsky's slides, which are mostly ranting "the sky is falling" and pointing out what assumes secure DNS. The actual attack is not described in any more detail than previous public sources. I still don't understand why resolvers accept the poison: Kaminsky seems to be suggesting that data in the additional section of a reply is overwriting cached answers, which RFC 2181 says must not happen. Anyway, }}} 要約 : RFC 2181 に従うなら、毒盛できないはずだ。 {{{ Kaminsky says his attack allows him to overwrite data in a DNS cache. The reason Matasano's glue / additional RR explanation is wrong can be found in RFC 2181 section 5.4.1, which says that additional RRs must not override authoritative data in the DNS cache. }}} RFC 2181 5.4.1 では additional RRs は キャッシュ内の autoritative データを 上書きしないとある。(キャッシュになにがあるかは明らかではないが。) {{{ However, if you look at RFC 1034 section 3.6.2 you'll see that the data for a CNAME target goes in the answer section, not the additional section. }}} (CNAME ターゲットについてのデータは answer 節に入れるべきである。) {{{ Presumably this means the resolver treats it as trustworthy and therefore overwrites its "old" cached data with the CNAME target data. }}} これなら、CNAME ターゲットはキャッシュを上書きしそうだが、 しかし、RFC 2181 は別の記述がある。 {{{ (However RFC 2181 also says that a resolver shouldn't trust CNAME target data, which implies this attack shouldn't work, though I can see why it does if the CNAME target is in the same zone as the CNAME owner.) }}} {{{ So the attack is: (1) cause the victim to look up lots of random invalid domain names adjacent to the goal name whose data you want to overwrite; (2) spoof authoritative answers that contain two records: a CNAME whose owner is your random invalid name and whose target is your goal name, plus the data for the goal name that you want to insert into the victim's cache; (3) when you win the spoofing race your data for the goal name overwrites whatever the victim previously had cached. }}} {{{ So there's another form of attack which is closer to the Matasano description but still different in significant ways. This relies on the fact that (again according to RFC 2181 section 5.4.1) data in the authority section of a reply is given a lot of trust. }}} {{{ The attack is: (1) cause the victim to look up lots of random invalid domain names adjacent to the goal name whose data you want to overwrite; (2) spoof authoritative answers that have an authority section containing replacement NS records for the target's zone which point to nameservers you control; (3) when you win the spoofing race the victim will start using your name servers for the target zone instead of the proper nameservers; (4) your nameserver can reply in whatever way you want for the target name, but you'll have to wait for it to expire from the victim's cache. }}} {{{ Therefore this attack is slower than the CNAME attack. }}} ------ でも、ちょっと違う方向へ向かっているようだ。