Maintained by: NLnet Labs

[Unbound-users] Increase RRset poisoning resistance

7v5w7go9ub0o
Mon Aug 11 17:03:43 CEST 2008


Please consider another newbie posting and question.

Referring to this article (Matasano):

<http://beezari.livejournal.com/141796.html>

and this article (Friedl):

<http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html#poisoning>

there seems to be two attacks of current (Kaminsky) interest:

1. "poison a single address record" attack.

This is when an attacker tries to match the qid/port of a request. This 
is clearly is not an issue with unbound, which is well designed in
terms of randomness, and has first-rate test results; e.g.

  <https://www.dns-oarc.net/oarc/services/porttest> )

2. "hijack the authority records" (RRset poisoning). This where the
server is sent to a bogus authority NS that is in-bailiwick with the target.

The last five paragraphs of the Matasano paper (from "5" to the end)
describe how an in-bailiwick poisoning could occur; the last few
paragraphs of the Friedl paper perhaps describe it more elegantly.

If I understand correctly, this second attack is much more likely to 
succeed because it is continuous - a series of requested in-bailiwick 
addresses can be sequentially increased and re-requested, resulting in 
continuous queries by the recursive server.

Suggestion: That unbound incorporate additional logic to defend against 
a "poisoned authority record" attack - logic in addition to its superior
port/qid randomization?

This additional logic is: that an exact match, not merely an 
"in-bailiwick" match be required before unbound would accept glue/RR 
record additions or updates.

It seems to me that little harm would result if unbound were instructed
to accept glue/RR records only from *exact* matches, and not from 
*inexact*, but in-bailiwick authority records.

Thanks for considering this.