Hi folks, A number of you have likely heard about this already, but just in case not, this is a fairly serious issue that deserves a few minutes of attention. Recently, it was discovered that the amount of entropy in DNS queries is relatively low in typical DNS software implementations, making the ability to spoof answers a fairly trivial exercise that can take as little as a second. This can be used to poison DNS caches, and ultimately introduce false data into the DNS. This is important on two distinctly different fronts: 1) Recursive name servers should have the maximum amount of entropy to provide the strongest resistance to spoofed DNS responses. This won't solve the problem, but helps mitigate the risk. There are patches for BIND etc. now available to randomise the source port of queries to aid this. To test a recursive name server you can use the tool at https://www.dns-oarc.net/oarc/services/dnsentropy 2) For domain registrants, the authoritative name server for your domain can be affected if they also offer recursive name service. The effects of cache poisoning can therefore introduce false data into your zone. To test for vulnerable servers, there is a new tool at http://recursive.iana.org/ The solution to this problem is to separate recursive and authoritative name service from one another. There is also an FAQ, focused on part 2, at http://www.iana.org/reports/2008/cross-pollination-faq.html cheers, kimReceived on Thu Aug 07 2008 - 14:52:21 UTC
This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:09 UTC