ISC SANS has recently disclosed yet another suspected DNS cache
poisoning attack. I reach a different conclusion. based on publicly
available data. Maybe there is unpublished information which suggests
a different view.
Unofficial name servers which pose as authoritative for well-known
zones have been around for ages. An astonishingly large number is
officially authoritative for (at least somewhat) frequented zones, and
from time to time, your resolvers receive authority sections
containing leaked unofficial data. I noticed this unfortunate fact
back in July 2004, when I looked more closely at DNS packet captures
for debugging purposes. Even in my limited sample, the number leaking
name servers was so high that systematically contacting their
operators and convincing them to change their configurations seemed
unfeasible (and many of them were located in regions which are not
exactly known for their cooperative spirit when it comes to such
Today, I looked again at a few unofficial servers. Quite a few of
them are operated by apparently respectable organizations with an AS
number etc. (definitely not the backyard servers behind a cable modem
I would expect in an attack). It is hard to tell if the more shady
ones legitimately redirect customer traffic, and unintentionally leak
these records to the general Internet, or attempt an actual attack.
(I'm not sure how to tell them apart at the protocol level. Maybe I'm
missing something.) Many of the unofficial records have been
unchanged for quite some (i.e. predating the current "pharming"
craze). Even the DNS cache poisoning case described in the ISC diary
could be the unwanted consequence of an oversimplified DNS
configuration (wildcard RRs for *.com instead of a proper DNS zone).
Are any ISPs actually willing to disconnect customer name servers
which serve unofficial zones? I don't believe that many ISPs would
try to exercise this much control over the packets their customers
send. Furthermore, there are apparently some reasons for running such
servers which generally are considered legitimate.
Should we monitor for evidence of hijacks (unofficial NS and SOA
records are good indicators)? Should we actively scan for
authoritative name servers which return unofficial data? I don't
think this makes sense, even if we could strongly discourage the
practice. Right now, I suspect that many people rediscovered the
relative weakness of the domain name system and started looking for
anomalies, and that's why we see an increasing number of reports --
not because of an increasing number of actual attacks.