From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <101ce9cb4e14907be1f9cd2519fe158e@quanstro.net> To: 9fans@9fans.net From: erik quanstrom Date: Sun, 27 Jul 2008 23:48:35 -0400 In-Reply-To: <488D35A2.5080806@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Subject: Re: [9fans] dns exploits (self-promotion remix) Topicbox-Message-UUID: f2d38398-ead3-11e9-9d60-3106f5b1d025 > > 2. who does recursive queries on external interfaces? > > i would have considerd this a configuration error and > > security problem ten years ago. > > > > Tell that to the rest of the internet. without reasonable configuration, most any machine can be made trivially vulnerable. > vectors that are just as predictable because of the > luxury of web2.0. Recursive queries obviously just > make this simpler for the attacker. what is this "web 2.0" of which you speak? i use plan 9 and unfamilar with such as i presume to be jargon. ☺ to do it from the inside, one requires out-of-balliwick hints to be cached, right? this should be a big hurdle. it's dissapointing to note that plan 9 dns does no hint validation. that is perhaps a larger long-known, and still-exploitable hole than the one that gets so much press. i think it would be best if ndb/dns simply did not reply with answers obtained from glue but rather re-queried the authorative ns *and* rejected out-of-balliwick hints. - erik