1. 2009
2009 年の Blackhat (Washington DC らしい) での講演で、今回の話に相当する内容も指摘されている。
DNS 2008 and the New (old) Nature of Critical Infrastructure
slide 17
- Nonexistent subdomains can’t already be cached, so they’re easy to inject
DNS 2008 and the New (old) Nature of Critical Infrastructure
slide 12/71
Nature Of My TTL Bypass (There are many others)
A Question Of Trust •BIND9 is a little more paranoid than many name servers –Nominum’s pretty paranoid too •If there is an answer in cache that came from the ANSWER section, the added data in ADDITIONAL cannot override it, even the new data comes from a source that’s in-bailiwick
- KaminskyもRFC2181のrankingが間違いだとは言えないらしい。
Not All Answers Are Found In The Same Place •Many answers in a DNS cache were originally acquired via ADDITIONAL section –MX Records provide a list of mail servers, and additionally their IP addresses –CNAME Records provide the “Canonical Name” for a server, and additionally the IP of that server •CNAME may be returned for any type •Additional IP may show up in Answer section, unclear if treated as an Answer th
1.1. slide 19
Getting Our Universal Attack Working Against BIND
https://www.blackhat.com/html/bh-usa-08/bh-usa-08-archive.html