At 14:27 +0000 2/19/07, Tony Finch wrote:
If you point NS records at private networks then you can get DNS servers to send queries to their private networks. The timing of any responses you get might give you some information about their network topology, e.g. which hosts are up, etc.
So, put in "myzone.example NS ns1.myzone.example." and "ns1.myzone.example A 10.0.0.1" and send out phishing spam causing a lookup on www.myzone.example.
If I click on the link, my local recursive server will be referred to ns1.myzone.example. The next query ought to go to the local 10.0.0.1 or at worst the border router.
What timing is going on? Who's measuring? I don't get this. Or are you saying that the iterating server is accepting outside queries?
More interestingly, consider a user on a private network that is heavily firewalled (not even NAT connectivity to the Internet) and who wants to tunnel out. If there is a nameserver connected to the internal and external networks, and the user can persuade it to make a query controlled by the user, then the user can get it to recurse back and forth between a public IP address and the user's private IP address, passing data in the process. Note that the user does not require direct access to a recursive resolver: for example, they could trigger the query by saying HELO to a mail server. One trigger query can result in several back-and-forth exchanges via the tunnel.
There was a time when I worked in a place that looked at such exercises. That's a security design issue. I.e., if you have a bunch of machines that are not supposed to be able to send information out then you shouldn't have any means by which they can. Air gap, or some other theory application of multi-level security.
Then again, what does this have to do with an A record of an NS being RFC 1918? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar "Two years ago you said we had 5-7 years, now you are saying 3-5. What I need from you is a consistent story..." _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
