[TAG] (forw) Re: [conspire] DNS vulnerability details
Kapil Hari Paranjape
kapil at imsc.res.in
Wed Aug 6 09:25:18 MSD 2008
On Tue, 05 Aug 2008, Rick Moen wrote:
> ----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----
> Date: Tue, 5 Aug 2008 13:38:43 -0700
> From: Rick Moen <rick at linuxmafia.com>
> To: conspire at linuxmafia.com
> Subject: Re: [conspire] DNS vulnerability details
> > o Your Debian and MacOS boxes -- being TCP/IP-capable -- have DNS
> > resolver libraries (DNS clients). Neither of those OSes' libraries
> > is particularly competent at randomising their UDP ports on outgoing
> > DNS queries whose recursive bits are set, _but_ results received
> > back are not cached. So, there's very little payoff to a theoretical
> > attacker from sending them forged responses with cache-poisoning data
> > -- there being no cache to poison. Get it?
While this is generally true, I am a bit worried about systems where
one runs "nscd". (For those not in the know, "nscd=name service
caching daemon" which caches a number of things for the libc resolver
stub.) Does "nscd" aggravate the problem?
I know your response is likely to be "Do not run this little horror!"
but it seems to be required if one is running NIS. Of course, the
next question would be why one is running NIS in 2008!
More information about the TAG