[9fans] dns poisoning

[9fans] dns poisoning

[cinap_lenrek]

aback.com has ns.buydomains.com as nameserver, which seem to
announce itself to be responsible for the whole .com tld and
answers positively to everything with bullshit spam ip addresses
causing all further .com domain queries to get resolved by that
spam ns.buydomains.com dns. :(

is this allowed by the standard? is there anything we can do
to prevent it from poisoning our cache?

rei2 Aug 29 04:25:26 [73792] 61255.1: sending to 192.54.112.30/h.gtld-servers.net aback.com ip
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 flags: rd
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 qd aback.com
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ns aback.com ns	ns.buydomains.com
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ns aback.com ns	this-domain-for-sale.com
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ar ns.buydomains.com ip	64.95.64.93
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ar this-domain-for-sale.com ip	64.95.64.96
rei2 Aug 29 04:25:26 [73792] 61255.2: sending to 64.95.64.93/ns.buydomains.com aback.com ip
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 flags: auth rd
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 qd aback.com
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 an aback.com ip	64.95.64.218
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ns com ns	ns.buydomains.com
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ns com ns	this-domain-for-sale.com
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ar ns.buydomains.com ip	64.95.64.93
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ar this-domain-for-sale.com ip	64.95.64.96

--
cinap

Re: [9fans] dns poisoning

[erik quanstrom]

On Tue Aug 28 23:33:20 EDT 2012, cinap_lenrek@gmx.de wrote:
> aback.com has ns.buydomains.com as nameserver, which seem to
> announce itself to be responsible for the whole .com tld and
> answers positively to everything with bullshit spam ip addresses
> causing all further .com domain queries to get resolved by that
> spam ns.buydomains.com dns. :(
>
> is this allowed by the standard? is there anything we can do
> to prevent it from poisoning our cache?

no it's not*.  there's a dns concept that is generally referred to as
"baliwick" which means crudly the stuff you're responsible for.
answers are only acceptable if they are in balliwick.  so that
the . servers may serve up any answer, but buydomains.com
may only serve up answers for buydomains.com.  ("." is actually
irrelevant, unless it is delegated.)

(* unless it's a cname.  fu.bar.com cname blotz.frobnitz.org is cool.)

dnresolve.c:/^procansw should protect against it in the
section commented /* ignore any bad delegations */.  it should
not log on cname delegations that are are out-of-balliwick.
that's something i've added to my copy.

it's not hard to imagine that this code is not perfect.  :-)

- erik

Re: [9fans] dns poisoning

[cinap_lenrek]

you are right!

baddelegation() is checking for that, but it was not effective because it
bailed out before even entering that for loop because of:

	if(t == nil)
		t = lookupinfo("dom");
	if(t == nil)
		return 0;	<- delegation loop will not be checked :(

the following patch makes it work:

dblookup.c:799,806 - /sys/src/cmd/ndb/dblookup.c:799,804

  	if(t == nil)
  		t = lookupinfo("dom");
- 	if(t == nil)
- 		return 0;

  	for(; rp; rp = rp->next){
  		if(rp->type != Tns)
dblookup.c:816,821 - /sys/src/cmd/ndb/dblookup.c:814,822
  			return 1;
  		}

+ 		if(t == nil)
+ 			continue;
+
  		/* see if delegating to us what we don't own */
  		for(nt = t; nt != nil; nt = nt->entry)
  			if(rp->host && cistrcmp(rp->host->name, nt->val) == 0)
--
cinap

Re: [9fans] dns poisoning

[Devon H. O'Dell]

Nice catch!

2012/8/29  <cinap_lenrek@gmx.de>:
> you are right!
>
> baddelegation() is checking for that, but it was not effective because it
> bailed out before even entering that for loop because of:
>
>         if(t == nil)
>                 t = lookupinfo("dom");
>         if(t == nil)
>                 return 0;       <- delegation loop will not be checked :(
>
> the following patch makes it work:
>
> dblookup.c:799,806 - /sys/src/cmd/ndb/dblookup.c:799,804
>
>         if(t == nil)
>                 t = lookupinfo("dom");
> -       if(t == nil)
> -               return 0;
>
>         for(; rp; rp = rp->next){
>                 if(rp->type != Tns)
> dblookup.c:816,821 - /sys/src/cmd/ndb/dblookup.c:814,822
>                         return 1;
>                 }
>
> +               if(t == nil)
> +                       continue;
> +
>                 /* see if delegating to us what we don't own */
>                 for(nt = t; nt != nil; nt = nt->entry)
>                         if(rp->host && cistrcmp(rp->host->name, nt->val) == 0)
> --
> cinap
>

Re: [9fans] dns poisoning

[erik quanstrom]

> dblookup.c:816,821 - /sys/src/cmd/ndb/dblookup.c:814,822
>   			return 1;
>   		}
>
> + 		if(t == nil)
> + 			continue;
> +
>   		/* see if delegating to us what we don't own */
>   		for(nt = t; nt != nil; nt = nt->entry)
>   			if(rp->host && cistrcmp(rp->host->name, nt->val) == 0)

do we need this?  it will prevent nt->next from being checked.

- erik