1. DNS/bailiwick-rule

DNS/in-bailiwick DNS/out-of-bailiwick

Hitch hiker's guide to cache poisoning

2. 6.5 Bailiwick rule

The primary purpose of the bailiwick rule is to prevent an authoritative server from
claiming the mappings from domain names belonging to other authorities.

キャッシュサーバが問い合わせた相手の(あるゾーンサーバが)

この立場からは、内部名かどうかとは視点が異なる。 -- ToshinoriMaeno 2014-10-29 05:19:29

To determine whether the bailiwick-checking logic of BIND and Unbound resolvers achieves this,
we used ProVerif to verify the following three properties:

query ev: evPoison(NSt/At/CNAMEt, targetname, dst, tl, cachedns, cacheda, cachedc) −→ ev: evRecursiveQueryStart( query, bailiwick, bailiwickAAserver ) ∧ isSubName: query, bailiwick ∧ isSubName: targetname, bailiwick

These properties say that a record can enter the cache (represented by the cache poisoning event, since in our model all responses arrive from the network attacker) only in response to a recursive query and if targetname and query are subdomains of bailiwick.

Here bailiwick is the authority name closest to the domain label in the query.

According to ProVerif, these three properties hold in our model.

Therefore, the domain name of both legitimate and forged responses must be
 a subdomain of the proper bailiwick, as determined by the DNS resolver.

Note, however, that the bailiwick depends on the label of the current query.

An attacker may initiate a query for a domain of his choice or manipulate the resolver into issuing such a query (e.g., by tricking one of the resolver’s users into visiting a webpage with a link to the domain), thus ensuring that forged responses do not violate the bailiwick rule.


(結論)bailiwick rule はニセ返答攻撃を妨げることにはならない。