Attachment 'Kaminsky.txt'

Download

   1 Kaminsky Defence
   2 ================
   3 
   4 A typical Kaminsky attack is to attack a domain, say
   5 
   6 www.example.com
   7 
   8 by asking a series of questions
   9 
  10 <random>.www.example.com
  11 
  12 and sending spoof referral responses ( "Phantom Referrals" ) with a
  13 delegation to a machine controlled by the attacker, e.g.
  14 
  15 www.example.com NS a.evil.com
  16 
  17 The true response will be NxDomain, normally with a SOA record
  18 
  19 example.com SOA ......
  20 
  21 To defend, when we get a NxDomain response, the resolver marks all the
  22 domains in the Question strictly below the Bailiwick ( the Owner of the
  23 NS record that was used to select the name server for the query ) with
  24 a NZ flag ("Not a Zone").
  25 
  26 If unexpectedly we later get a NS record for a NZ domain, we reject the
  27 response, clear the NZ flag, and retry the query.
  28 
  29 Complete Acceptance rules
  30 =========================
  31 
  32 When reading a response, only the following records are accepted :
  33 
  34 1. Records in the Answer section of an Authoritative response (AA=1) 
  35 that have Owner = QNAME ( the domain of the Question ).
  36 
  37 2. NS records in the Authority section that have an Owner name meeting
  38 all of the the tests 2.1 to 2.3
  39 
  40   2.1 The Owner Name NZ flag must be clear.
  41   2.2 The Owner Name must be strictly below the Bailiwick.
  42   2.3 The Owner Name must be equal to or an ancestor of the Query Name.
  43 
  44 3. A / AAAA records in the Additional section that resolve an accepted
  45    NS record.
  46 
  47 Here is a table of attack queries, spoof NS records that are rejected,
  48 and the rule that causes rejection. The Bailiwick in each case is 
  49 example.com, which is assumed to have no sub-zones.
  50    
  51 Attack query                Spoof record                     Rule
  52 ------------                ------------                     ----
  53 <random>.www.example.com    www.example.com NS a.evil.com    2.1
  54 
  55 <random>.www.example.com    example.com NS a.evil.com        2.2
  56 
  57 <random>.example.com        www.example.com NS a.evil.com    2.3
  58 
  59 There is an assumption that the attacker can inject spoof responses, but
  60 cannot stop most genuine responses getting through.

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (2020-08-12 06:11:32, 5.0 KB) [[attachment:FAQ.htm]]
  • [get | view] (2020-08-12 06:11:32, 2.0 KB) [[attachment:Kaminsky.txt]]
  • [get | view] (2020-08-12 06:11:32, 7.0 KB) [[attachment:NotesOnDNS_Standard.htm]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.