From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Wed, 29 Aug 2012 00:22:37 -0400 To: 9fans@9fans.net Message-ID: <29b5e5de98bbf11a690b6831b3cf0ea6@kw.quanstro.net> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] dns poisoning Topicbox-Message-UUID: b3245322-ead7-11e9-9d60-3106f5b1d025 On Tue Aug 28 23:33:20 EDT 2012, cinap_lenrek@gmx.de wrote: > aback.com has ns.buydomains.com as nameserver, which seem to > announce itself to be responsible for the whole .com tld and > answers positively to everything with bullshit spam ip addresses > causing all further .com domain queries to get resolved by that > spam ns.buydomains.com dns. :( > > is this allowed by the standard? is there anything we can do > to prevent it from poisoning our cache? no it's not*. there's a dns concept that is generally referred to as "baliwick" which means crudly the stuff you're responsible for. answers are only acceptable if they are in balliwick. so that the . servers may serve up any answer, but buydomains.com may only serve up answers for buydomains.com. ("." is actually irrelevant, unless it is delegated.) (* unless it's a cname. fu.bar.com cname blotz.frobnitz.org is cool.) dnresolve.c:/^procansw should protect against it in the section commented /* ignore any bad delegations */. it should not log on cname delegations that are are out-of-balliwick. that's something i've added to my copy. it's not hard to imagine that this code is not perfect. :-) - erik