|
|
|
|
|
|
by kj4ips
298 days ago
|
|
|
I think the idea here is to induce the request to a garbage domain (such as by using it as an email domainpart, to get an SPF and/or DKIM lookup), and forge a response with other names in the additional section. This also somewhat fits with DNSSEC as a mitgation, as the additional section (if not discarded outright) should result in a signature chase by the resolver, which should fail if the targeted domain is dnssecd. Imagine that: * I have an evil system at 192.0.2.1 * target at 198.51.100.1 which is an MTA, and is it's own resolver with dnsmasq. * foobar.com has a nameserver that silently drops any request with a ! in the first label I first send a mail to 192.51.100.1 claiming to be from bob@"foo!bar.foobar.com" 192.51.100.1 sends a request to the auth ns for foobar.com, which gets droped. While this is happening, I spam the crud out of 192.51.100.1 from 192.0.2.1 with forged answers for foo!bar.foobar.com that contain additional responses stating deb.debian.org is at 192.0.2.1 with a ttl of months. If I am lucky dnsmasq caches BOTH the foo!bar.foobar.com response, and the deb.debian.org one, meaning that future accesses to deb.debian.org instead go to my attacker-controlled nastybox. |
|
|