IETF-draft/wijngaardsについて、ここに記述してください。
https://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01
/3.3 Obtain Authoritative Data
1. 攻撃の例と、防御策(unbound)
[検討する。 -- ToshinoriMaeno 2014-11-27 01:18:37 ]
4. Variants to Protect against
In the descriptions below a short title is given to quickly summarize the exploit.
The query 'q:' is what the attacker sends as fake question to the resolver to answer. The answer, authority 'auth:' and additional 'add:' sections list the content that the spoofer provides. The mitigation strategy, and sometimes discussion, is provided in the 'protected:' line.
The real target is example.com or www.example.com or ns1.example.com, which is the real nameserver for example.com here.
The domain evil.example.net is under control of the attacker and 192.0.2.66(evil) is an IP address under control of the attacker. The label 'bad123' is used in place of a label that the attacker varies every attempt to obtain new spoofing windows.
Glue with new DNS server
q: bad123.example.com. answer: bad123.example.com. A whatever auth: example.com. NS evil.example.com. add: evil.example.com. A 192.0.2.66(evil)
- protected: 2181 adherence plus NS record pinned by NS query. Also name error or no data answers could be used, instead of this answer section.
Glue for DNS server
q: bad123.example.com. answer: bad123.example.com. A whatever auth: example.com. NS ns1.example.com. (normal entry) add: ns1.example.com. A 192.0.2.66(evil)
- protected: 2181 adherence plus NS record pinned by NS query, plus A record pinned by glue query. Also name error or no data answers could be used, instead of this answer section.
Glue for Web server
q: bad123.example.com. answer: bad123.example.com. A whatever auth: example.com. NS www.example.com. add: www.example.com. A 192.0.2.66(evil)
- protected: 2181 adherence plus NS record pinned by NS query.
Glue smaller
q: bad123.example.com. answer: bad123.example.com. A 192.0.2.66(evil) auth: example.com. NS bad123.example.com.
- protected: 2181 adherence plus NS record pinned by NS query.
NS change
q: bad123.example.com. answer: bad123.example.com. A whatever auth: example.com. NS evil.example.net.
- protected: 2181 adherence plus NS record pinned by NS query.
NS server migration
q: bad123.example.com.
answer: bad123.example.com. A whatever
auth: example.com. NS ns1.example.com. (normal entry)
auth: example.com. NS ns2.example.com.evil.example.net.
(evil, looks like typo in server migration)- protected: 2181 adherence plus NS record pinned by NS query.
CNAME
q: bad123.example.com. answer: bad123.example.com. CNAME www.example.com. answer: www.example.com. A 192.0.2.66(evil)
- protected: CNAME chain cutoff.
DNAME one message
q: www.bad123.example.com. answer: bad123.example.com. DNAME example.com. answer: www.bad123.example.com. CNAME www.example.com. answer: www.example.com. A 192.0.2.66(evil)
- protected: DNAME chain cutoff.
DNAME whole zone
q: bad123.example.com. answer: example.com. DNAME evil.example.net. answer: bad123.example.com. CNAME bad123.evil.example.net. answer: bad123.evil.example.net. A whatever
- protected: no DNAME from cache.
New Delegation - rigged
q: bad123.www.example.com. answer: (empty) auth: www.example.com. NS www.example.com. add: www.example.com. A 192.0.2.66(evil)
- protected: the NS queries that ask referral confirmation together with glue queries.
New Delegation - looks normal
q: bad123.www.example.com. answer: (empty) auth: www.example.com. NS ns1.evil.example.net. auth: www.example.com. NS ns2.evil.example.net.
- protected: the NS queries that ask referral confirmation together with glue queries.
New Delegation - for glue
q: bad123.example.com. answer: (empty) auth: bad123.example.com. NS ns1.example.com. additional: ns1.example.com. A 192.0.2.66(evil)
- protected: rfc2181 adherence.
Another hitherto unknown variation
- These are a lot of variations and it is very likely that other people can come up with better, different ideas. protected: by entropy measures, by the count-and-wipe measure. Long term solutions (PING, TCP, DNSSEC) also aim to protect against these much more thoroughly.