[linux-elitists] Applications and the infamous DNS vulnerability

Don Marti dmarti@zgp.org
Thu Jul 24 09:40:04 PDT 2008


On a properly set up home or office network, it should
be difficult to poison the nameserver completely
from the outside -- for a long time it's been best
practice to put your public DNS on a separate machine.

Of course an attacker can easily trick an application
on the inside into doing a bunch of DNS queries --
the simplest example is that a user could visit a
malicious web page with a bunch of images.

Should applications that handle untrusted data
be keeping track of the number of times they get
NXDOMAIN for subdomains of one domain -- some kind
of wrapper around getaddrinfo -- then refusing to
query again if there are so many that it looks like
an attack?  Maybe with a "I'm not looking up another
randomcrap.example.com domain for you" dialog, or
maybe just stop processing the offending web page or
whatever other data source is causing the queries?

-- 
Don Marti                                               +1 415-734-7913 mobile
http://zgp.org/~dmarti/
dmarti@zgp.org         Linux device driver unconference: http://freedomhec.org/ 



More information about the linux-elitists mailing list