DNS/毒盛/Guide/議論について、ここに記述してください。
Son and Shmatikov より
7 Taxonomy of Cache Poisoning Attacks
1. Table 3
Table 3. Taxonomy of cache poisoning attacks on BIND and Unbound (abc.com is the bailiwick zone).
- NSがキャッシュにあるとき (Possible Section 7.4)
- Subdomain 生成(A Section 7.1, 7.2, 7.5, 7.6, NS Section 7.4) Unbound では 7.3
ここの分類では 7.2 での NS が落ちているようだ。 (属性型JPドメイン名でのNS毒盛)
- あるいは 7.4 で十分だというつもりなのかもしれない。
でも、上書きするのは実装の不良だと考える立場だと、分類が適切ではないことになる。 -- ToshinoriMaeno 2014-06-14 05:05:07
2. Table 4
Table 4. Cache poisoning attacks on different resolvers.
- All attacks have been tested against actual implementation
- BIND 9.4.1, Unbound 1.3.4, MaraDNS 1.3.07
Adding a new CNAME record (Section 7.1)
- Effective, Effective, Effective
Adding a subdomain under anexisting authority (Section 7.2)
- Effective, Possible, but ineffective with the default policy, Impossible by forging additional data
Overwriting an existing A record (Section 7.3)
- Effective Effective Impossible
Overwriting an existing NS record (Section 7.4)
- Effective Effective Effective
Creating fake domains (Section 7.5)
- Effective (by forging additional section) Effective (requires prior overwriting of IP addresses of authoritative servers) Effective (requires prior overwriting of IP addresses of authoritative servers)
Stealing a popular domain name by hijacking subauthorities (Section 7.6)
- Effective Effective Effective
3. 各論
7.1 Adding a new CNAME record 7.2 Adding a subdomain under an existing authority 7.3 Overwriting an existing A record 7.4 Overwriting an existing NS record 7.5 Creating fake domains 7.6 Hijacking a popular domain via a sub-authority
Suppose the attacker poisons the authority section for l.google.com. Once the A record for www.l.google.com expires, the victim will ask an attacker-controlled server to resolve www.l.google.com, giving him complete control over the mapping. This attack is effective against both BIND and Unbound because it targets the authority section of a zone or the IP address of the zone’s authoritative server, not the records in the additional section. Therefore, Unbound’s default policy does not prevent the attack. Technically, this attack is modeled by the same rules and uses the same payloads as in Section 7.3 (respectively, 7.4).
最近のgoogle は l.google.com をやめたようだが。-- ToshinoriMaeno 2014-03-28 13:55:59