Date:  Sat, 08 Nov 2008 19:58:29 -0500
From:  Brian Rahill <brian (at mark) rainstormconsulting.com>
Subject:  [coba-e:14286] Re: Cache snooping attacks, bind
To:  coba-e (at mark) bluequartz.org
Cc:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Message-Id:  <491635B5.4060203 (at mark) rainstormconsulting.com>
In-Reply-To:  <4915E119.3070304 (at mark) dogsbody.org>
References:  <490F2542.3040509 (at mark) rainstormconsulting.com> <491029C1.30503 (at mark) dogsbody.org> <49142FC2.4050303 (at mark) rainstormconsulting.com> <C8374F0143A34A7EB0E269FE54BE12F4 (at mark) OfficeKen> <4915E119.3070304 (at mark) dogsbody.org>
X-Mail-Count: 14286


>> All you need to do is not allow recursion for IPs outside your network.
>> For example my /var/named/chroot/etc/named.conf      begins with:
> If that's the case then you can set that in the GUI! Just in case you 
> didn't know :-)
Yes, that's what I thought too, but we have this set and are still 
vulnerable. In testing and reading further, cache snooping and recursion 
are related, yet different, things.

If you limit recursion to IP within your network, then it's true that 
other IPs cannot use your DNS to lookup records that you are not 
authoritative for.

However, if someone on your internal network looks up a record, it's 
then saved in the DNS cache and anyone, regardless of their IP, can now 
lookup that record from your cache. This is where the "cache snooping" 
comes in -- people from outside can query your DNS cache and snoop what 
records you have cached.

If have tried this with our servers and it works. Currently the only 
reasonable fix I have seen for this is to upgrade BIND unless someone 
here has a better idea.

Brian