December 27th, 2001, 03:51 PM
DNS (the other white meat)
I was going to write a tutorial on what DNS is and how to work with it....but somebody else did. So, I figured I would write a quick bit on sploiting it. As you already know.....DNS is a fundamental protocol that uses both TCP/UPD (port 53) to associate a user friendly name (www.antionline.com) with the actual routing IP (126.96.36.199). Sounds simple and rather straight forward but bind as well as other DNS services tend to give away and recieve information without authenticating what the source/destination is. It is possible to actually perform a zone transfer (DNS servers periodically send large amounts of records to and from each other to simplifiy management) in order to find out information such as IP addressing and other information concerning a network that would normally be hidden behind a firewall. In the reverse thinking, you could in theory hide invalid information within a valid request to a dns server. The server would cache this information and would redirect the users to sites of choice. The method is undetectable and very effective. The second would be to actually compromise the DNS server (highly unlikely but possible) and then modify the forward and reverse lookup tables (remember from the other tutorial?). This would allow you to pretty much control where a browser goes when somebody types www.wherever.com. The reason I am telling you guys this is because we are security fundamentalists and should know that DNS vulnerabilities are rare but very possible. The moral of this story: There is authentication software out there (digital certificates or whatnot as well as software for Bind) that defeats anybody's ability to apply a trasfer or use their own dns server to feed in false information. Sometimes the little stuff is what can kick you in the ass. The next thing to do would be to apply logging features to the server...this would allow for you to detect an intruder before or after the dns server was comprimised. The last but not least would be to deny any requests outside the primary dns server. By filtering port 53 you should be able to get away without a scratch. I would suggest to filter TCP on port 53 and leave UDP alone. Why? Because TCP is used for zone transfers while UDP is for lookups. Well....enough for now(have to work sometime right?). Later we will get into how to apply transfers and implement more security.
December 27th, 2001, 03:55 PM
good tutorial - keep it up!
[shadow]uraloony, Founder of Loony Services[/shadow]
Visit us at
December 27th, 2001, 04:05 PM
Dude, good post...cache poisoning! Keep it up!
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.