## page was renamed from DNS/毒盛/Guide/議論
DNS/毒盛/Guide/議論について、ここに記述してください。

Son and Shmatikov より

{{{
7 Taxonomy of Cache Poisoning Attacks
}}}

<<TableOfContents()>>
<<Navigation(children)>>

== Table 3 ==
Table 3. Taxonomy of cache poisoning attacks on BIND and Unbound (abc.com is the bailiwick zone).

 * NSがキャッシュにあるとき (Possible Section 7.4)
 * Subdomain 生成（A Section 7.1, 7.2, 7.5, 7.6,  NS Section 7.4)   Unbound では 7.3

ここの分類では 7.2 での NS が落ちているようだ。 (属性型JPドメイン名でのNS毒盛）
  あるいは 7.4 で十分だというつもりなのかもしれない。　
でも、上書きするのは実装の不良だと考える立場だと、分類が適切ではないことになる。　-- ToshinoriMaeno <<DateTime(2014-06-14T14:05:07+0900)>>

== Table 4 ==
Table 4. Cache poisoning attacks on different resolvers. 
  All attacks have been tested against actual implementation
    BIND 9.4.1,  Unbound 1.3.4,  MaraDNS 1.3.07
{{{
Adding a new CNAME record (Section 7.1)
}}}
  Effective, Effective, Effective
{{{
Adding a subdomain under anexisting authority (Section 7.2)
}}}
 [[/7.2]]
  Effective, Possible, but ineffective with the default policy,
  Impossible by forging additional data
{{{
Overwriting an existing A record (Section 7.3)
}}}
 Effective Effective Impossible
{{{
Overwriting an existing NS record (Section 7.4)
}}}
 Effective Effective Effective
{{{
Creating fake domains (Section 7.5)
}}}
 Effective (by forging additional section)
 Effective (requires prior overwriting of IP addresses of authoritative servers)
 Effective (requires prior overwriting of IP addresses of authoritative servers)
{{{
Stealing a popular domain name by hijacking subauthorities (Section 7.6)
}}}
 Effective Effective Effective

== 各論 ==
{{{
7.1 Adding a new CNAME record
7.2 Adding a subdomain under an existing authority
7.3 Overwriting an existing A record
7.4 Overwriting an existing NS record
7.5 Creating fake domains
7.6 Hijacking a popular domain via a sub-authority
}}}

{{{
Suppose the attacker poisons the authority section for l.google.com.
Once the A record for www.l.google.com expires,
the victim will ask an attacker-controlled server to resolve www.l.google.com,
giving him complete control over the mapping.

This attack is effective against both BIND and Unbound 
because it targets the authority section of a zone or the IP address of
the zone’s authoritative server, not the records in the additional section.

Therefore, Unbound’s default policy does not prevent the attack.
Technically,  this attack is modeled by the same rules and uses the same payloads as in Section 7.3 (respectively, 7.4).
}}}

最近のgoogle は　l.google.com をやめたようだが。-- ToshinoriMaeno <<DateTime(2014-03-28T22:55:59+0900)>>