Thursday, May 15, 2003

DNS Cache Poisoning

SecurityFocus has an article explaining the history and coming attractions of DNS cache poisoning.

While cache poisoining is generally considered a "bad thing" (tm), it can also be used for good (like most hacker tools). For example, say you have a heavily loaded web cache and would like to initiate some sort of content filtering but can't afford the commercial software.

All you have to do is set up an additional Bind DNS server that only the web cache will use. Then grab the various freely available bad-site lists (Google/Yahoo/etc. for them!) and write a perl script to add them to the named.conf file as authoritive zone. All of the zones should reference the same zone file (possible if you use the implicit shortcuts [blank LHS, ampersands, wildcards, etc.]) In that single zone file, you only need the following A record:

* IN A

where you change to the IP address of a webserver which displays something innocuous (suggestion: the default page could present your organization's acceptable usage policy).

It's cheesy but works when you don't have a budget for anything better. You can protect the poisoned DNS server by setting up iptables, IPFW, or whatever similar method your OS uses so that only the web cache can access it. I came up with this method after trying to continuously add keywords to Squid filters (the basic filter only allows 256 entries per line and above a certain number of lines noticeably slows) or filters to the firewall (which also noticeably slowed). Poisoning a DNS only eats up additional memory and doesn't affect the speed of the network.

The bad news is that this can turn into a full-time job, keeping up with your in-house surfers, but it is an option. Just for the record, I had over 21,000 zones poisoned and didn't affect network speed.

The article is a good read though.

No comments:

Post a Comment