RE: pharming.. dns cache insertion...

At 10:32 AM -0700 2005-04-09, bruce wrote:

> how does one/could one go about determining if an IP Address is actually
> valid...

Without DNSSEC, you have to start trusting somebody, somewhere.
Generally, this means that you trust the root nameservers. So, you
follow the chain down. If you want to check out www.example.com, you
first go to the root nameservers to see who the nameservers are for
..com. You then go to the nameservers for .com to see who the
nameservers are for example.com. You then go to the nameservers for
example.com to see if there are different nameservers for
www.example.com. Assuming that there are not, you then ask the
nameservers for example.com what the IP address(es) is/are for
www.example.com.

This is basically the same process that your caching/recursive
nameserver will have done, only you do this process separately to
validate the information in your caching/recursive nameserver. Tools
like "doc" will automatically check this chain of delegation
information for you.

> but if i poll 500-1000 DNS servers for a given IP Address, shouldn't i start
> to see patterns that tell me what the valid IP addresses are for the URL, so
> that an address that gets returned to me (or a false one that's hard coded)
> could be identified as being false...

Not really. Check www.google.com. Check that from a thousand
different places in the world, and you may get a thousand different
answers because of the way they do load balancing. Check the root
nameservers, and you *will* get different answers, because of the way
that some of them do load-balancing. Check anyone that uses Akamai
or Akamai-type distribution networks.

Don't bother polling other nameservers. Even if they were to
answer you, the answers they get may not be any more valid for you
than anything else you might see from anywhere else. The only
answers you can be reasonably sure are valid are those which you get
from the authoritative nameservers for that domain.

Of course, that entire process breaks down with DNS cache
poisoning or pollution (poisoning is when this sort of stuff is done
intentionally, it's called pollution if it's done accidentally), but
without DNSSEC, there's not any other way to deal with this problem.

--
Brad Knowles, <brad@stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755

SAGE member since 1995. See <http://www.sage.org/> for more info.