1. djbdns/DNS_forgery

DNS forgery 私訳

参考: http://djbdns.qmail.jp/djbdns/res-disaster.html

I've given a few talks on 'The DNS security mess': 2003.02.11 (slides available). 2003.03.18 (slides available). 2004.04.28 (slides available).

In theory, cryptography can eliminate all of the DNS attacks described on this web page. In practice, DNSSEC has received millions of dollars in U.S. government grants and after fifteen years still has not stopped any attacks. My efforts in this area are now focused on DNSCurve, a completely different way to use cryptography to protect DNS.



1.1. February 2009 comments

I introduced UDP port randomization in the first dnscache release in December 1999. PowerDNS copied the same feature in 2006. As far as I know, between December 1999 and July 2008, all other DNS software on the Internet allowed blind attacks that were likely to succeed using fewer than 100000 packets.

Many DNS software authors issued "emergency" UDP-port-randomization patches in July 2008. Some of these patches, and some subsequent patches, also attempted to stop colliding attacks, by combining "duplicate-query suppression" with various other mechanisms. Kevin Day issued a patch of this type for dnscache in February 2009.

Day also issued a security alert ("CVE-2008-4392") stating that dnscache, without duplicate-query suppression, allowed a colliding attack using tens of millions of packets. Day failed to mention that exactly the same information has been available on this web page since November 2002. As far as I know, my July 2001 posting on the topic was the first publication of colliding attacks on DNS.

I haven't reviewed the patches that attempt to stop colliding attacks against dnscache, BIND, etc. Even if these patches work properly, they are at best a speed bump for blind attackers. Saying "An attacker has to send billions of packets on average" is like saying "An attacker has to download a movie"; yes, it takes a little time, but it's not a serious obstacle.

There is a much simpler way that clients can stop blind attackers without requiring any changes from servers: namely, query repetition, another mechanism that has been discussed on this web page since November 2002. Unfortunately, even with query repetition, attackers who control nearby computers can trivially forge DNS responses.

Attackers are estimated to control more than 10% of the computers on the Internet. If a computer on your network has been compromised by an attacker anywhere in the world then the attacker can trivially steal your mail by forging DNS packets. Client-side patches can stop blind attacks, but attacks from nearby computers are not blind. These patches are an extremely poor substitute for proper cryptographic protection.




Moin2Qmail: djbdns/DNS_forgery (last edited 2021-05-24 15:07:44 by ToshinoriMaeno)