* [9fans] dns poisoning
@ 2012-08-29 3:29 cinap_lenrek
2012-08-29 4:22 ` erik quanstrom
0 siblings, 1 reply; 5+ messages in thread
From: cinap_lenrek @ 2012-08-29 3:29 UTC (permalink / raw)
To: 9fans
aback.com has ns.buydomains.com as nameserver, which seem to
announce itself to be responsible for the whole .com tld and
answers positively to everything with bullshit spam ip addresses
causing all further .com domain queries to get resolved by that
spam ns.buydomains.com dns. :(
is this allowed by the standard? is there anything we can do
to prevent it from poisoning our cache?
rei2 Aug 29 04:25:26 [73792] 61255.1: sending to 192.54.112.30/h.gtld-servers.net aback.com ip
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 flags: rd
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 qd aback.com
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ns aback.com ns ns.buydomains.com
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ns aback.com ns this-domain-for-sale.com
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ar ns.buydomains.com ip 64.95.64.93
rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ar this-domain-for-sale.com ip 64.95.64.96
rei2 Aug 29 04:25:26 [73792] 61255.2: sending to 64.95.64.93/ns.buydomains.com aback.com ip
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 flags: auth rd
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 qd aback.com
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 an aback.com ip 64.95.64.218
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ns com ns ns.buydomains.com
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ns com ns this-domain-for-sale.com
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ar ns.buydomains.com ip 64.95.64.93
rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ar this-domain-for-sale.com ip 64.95.64.96
--
cinap
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [9fans] dns poisoning
2012-08-29 3:29 [9fans] dns poisoning cinap_lenrek
@ 2012-08-29 4:22 ` erik quanstrom
2012-08-29 16:16 ` cinap_lenrek
0 siblings, 1 reply; 5+ messages in thread
From: erik quanstrom @ 2012-08-29 4:22 UTC (permalink / raw)
To: 9fans
On Tue Aug 28 23:33:20 EDT 2012, cinap_lenrek@gmx.de wrote:
> aback.com has ns.buydomains.com as nameserver, which seem to
> announce itself to be responsible for the whole .com tld and
> answers positively to everything with bullshit spam ip addresses
> causing all further .com domain queries to get resolved by that
> spam ns.buydomains.com dns. :(
>
> is this allowed by the standard? is there anything we can do
> to prevent it from poisoning our cache?
no it's not*. there's a dns concept that is generally referred to as
"baliwick" which means crudly the stuff you're responsible for.
answers are only acceptable if they are in balliwick. so that
the . servers may serve up any answer, but buydomains.com
may only serve up answers for buydomains.com. ("." is actually
irrelevant, unless it is delegated.)
(* unless it's a cname. fu.bar.com cname blotz.frobnitz.org is cool.)
dnresolve.c:/^procansw should protect against it in the
section commented /* ignore any bad delegations */. it should
not log on cname delegations that are are out-of-balliwick.
that's something i've added to my copy.
it's not hard to imagine that this code is not perfect. :-)
- erik
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [9fans] dns poisoning
2012-08-29 4:22 ` erik quanstrom
@ 2012-08-29 16:16 ` cinap_lenrek
2012-08-29 16:26 ` Devon H. O'Dell
2012-08-29 16:37 ` erik quanstrom
0 siblings, 2 replies; 5+ messages in thread
From: cinap_lenrek @ 2012-08-29 16:16 UTC (permalink / raw)
To: 9fans
you are right!
baddelegation() is checking for that, but it was not effective because it
bailed out before even entering that for loop because of:
if(t == nil)
t = lookupinfo("dom");
if(t == nil)
return 0; <- delegation loop will not be checked :(
the following patch makes it work:
dblookup.c:799,806 - /sys/src/cmd/ndb/dblookup.c:799,804
if(t == nil)
t = lookupinfo("dom");
- if(t == nil)
- return 0;
for(; rp; rp = rp->next){
if(rp->type != Tns)
dblookup.c:816,821 - /sys/src/cmd/ndb/dblookup.c:814,822
return 1;
}
+ if(t == nil)
+ continue;
+
/* see if delegating to us what we don't own */
for(nt = t; nt != nil; nt = nt->entry)
if(rp->host && cistrcmp(rp->host->name, nt->val) == 0)
--
cinap
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [9fans] dns poisoning
2012-08-29 16:16 ` cinap_lenrek
@ 2012-08-29 16:26 ` Devon H. O'Dell
2012-08-29 16:37 ` erik quanstrom
1 sibling, 0 replies; 5+ messages in thread
From: Devon H. O'Dell @ 2012-08-29 16:26 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
Nice catch!
2012/8/29 <cinap_lenrek@gmx.de>:
> you are right!
>
> baddelegation() is checking for that, but it was not effective because it
> bailed out before even entering that for loop because of:
>
> if(t == nil)
> t = lookupinfo("dom");
> if(t == nil)
> return 0; <- delegation loop will not be checked :(
>
> the following patch makes it work:
>
> dblookup.c:799,806 - /sys/src/cmd/ndb/dblookup.c:799,804
>
> if(t == nil)
> t = lookupinfo("dom");
> - if(t == nil)
> - return 0;
>
> for(; rp; rp = rp->next){
> if(rp->type != Tns)
> dblookup.c:816,821 - /sys/src/cmd/ndb/dblookup.c:814,822
> return 1;
> }
>
> + if(t == nil)
> + continue;
> +
> /* see if delegating to us what we don't own */
> for(nt = t; nt != nil; nt = nt->entry)
> if(rp->host && cistrcmp(rp->host->name, nt->val) == 0)
> --
> cinap
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [9fans] dns poisoning
2012-08-29 16:16 ` cinap_lenrek
2012-08-29 16:26 ` Devon H. O'Dell
@ 2012-08-29 16:37 ` erik quanstrom
1 sibling, 0 replies; 5+ messages in thread
From: erik quanstrom @ 2012-08-29 16:37 UTC (permalink / raw)
To: 9fans
> dblookup.c:816,821 - /sys/src/cmd/ndb/dblookup.c:814,822
> return 1;
> }
>
> + if(t == nil)
> + continue;
> +
> /* see if delegating to us what we don't own */
> for(nt = t; nt != nil; nt = nt->entry)
> if(rp->host && cistrcmp(rp->host->name, nt->val) == 0)
do we need this? it will prevent nt->next from being checked.
- erik
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-08-29 16:37 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-29 3:29 [9fans] dns poisoning cinap_lenrek
2012-08-29 4:22 ` erik quanstrom
2012-08-29 16:16 ` cinap_lenrek
2012-08-29 16:26 ` Devon H. O'Dell
2012-08-29 16:37 ` erik quanstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).