MoinQ:

DNS/毒盛/Guide/議論について、ここに記述してください。

Son and Shmatikov より

7 Taxonomy of Cache Poisoning Attacks

1. Table 3

Table 3. Taxonomy of cache poisoning attacks on BIND and Unbound (abc.com is the bailiwick zone).

ここの分類では 7.2 での NS が落ちているようだ。 (属性型JPドメイン名でのNS毒盛)

でも、上書きするのは実装の不良だと考える立場だと、分類が適切ではないことになる。 -- ToshinoriMaeno 2014-06-14 05:05:07

2. Table 4

Table 4. Cache poisoning attacks on different resolvers.

Adding a new CNAME record (Section 7.1)

Adding a subdomain under anexisting authority (Section 7.2)

Overwriting an existing A record (Section 7.3)

Overwriting an existing NS record (Section 7.4)

Creating fake domains (Section 7.5)

Stealing a popular domain name by hijacking subauthorities (Section 7.6)

3. 各論

7.1 Adding a new CNAME record
7.2 Adding a subdomain under an existing authority
7.3 Overwriting an existing A record
7.4 Overwriting an existing NS record
7.5 Creating fake domains
7.6 Hijacking a popular domain via a sub-authority

Suppose the attacker poisons the authority section for l.google.com.
Once the A record for www.l.google.com expires,
the victim will ask an attacker-controlled server to resolve www.l.google.com,
giving him complete control over the mapping.

This attack is effective against both BIND and Unbound 
because it targets the authority section of a zone or the IP address of
the zone’s authoritative server, not the records in the additional section.

Therefore, Unbound’s default policy does not prevent the attack.
Technically,  this attack is modeled by the same rules and uses the same payloads as in Section 7.3 (respectively, 7.4).

最近のgoogle は l.google.com をやめたようだが。-- ToshinoriMaeno 2014-03-28 13:55:59

MoinQ: DNS/毒盛/攻撃対象/議論 (last edited 2021-05-02 10:47:24 by ToshinoriMaeno)