The 200 trusted .com servers

Subject: The 200 trusted .com servers
From: D. J. Bernstein (djb@CR.YP.TO)
Date: Sun Jan 23 2000 - 12:49:46 CET

Would you trust *.com DNS information from a computer that's running
BIND 8.2.1 and Sendmail 8.8.5 today, sitting on an open network in the
electrical engineering department at a large Australian university?

``Of course not,'' you say. ``Top-level DNS servers can't use versions
of BIND with well-known remote root exploits. They can't run any mail
programs. They can't be on open networks. They have to be protected from
sniffing. This is how the twelve official .com servers are run.''

But there's a difference between the twelve official .com servers and
what your DNS cache _thinks_ are the .com servers. This is true even if
all IP packets are cryptographically authenticated.

Suppose an attacker can make recursive queries through your cache. Let
me emphasize that this does not mean that the attacker is one of your
beloved users; many programs act as DNS query-tunneling tools.

Suppose the attacker is also able, somehow, to take over
This isn't one of the .com servers, but it's a name server for the domain. Here's what happens:

   (1) The attacker asks your cache about Your cache contacts
       (say), which provides a referral:

          com NS (among others)

       These records are cached.

   (2) The attacker asks your cache about Your cache
       contacts (say), which provides a referral:

 NS (among others)

       These records are cached.

   (3) The attacker takes over

   (4) The attacker asks your cache about Your
       cache contacts, and the attacker answers:


       These records are cached, wiping out the obsolete j glue.

   (5) A legitimate user asks your cache about Your cache
       contacts, and the attacker answers:


       The user contacts at that address.

In some of these steps, your cache could have tried other servers first.
Perhaps the attacker briefly flooded your network, or those servers. Or
perhaps the attacker abused BIND's bogus ``credibility'' rules, as I
described in a previous message, to knock the other server addresses out
of your cache.

Of course, the same pattern can be extended. The attacker can start by
taking over one obscure computer in Australia. That lets him control the
address of a slightly less obscure computer; this power, in turn, lets
him control the address of yet another computer; and so on. After a
chain of ten NS records, he controls .com. (Exercise: Find this
computer. Hint: The chain doesn't include

Right now there are more than 200 computers, spanning 224 IP addresses,
that can trivially take over .com in this way. They don't have to forge
packets; their power is provided by the architecture and configuration
of the Domain Name System. Some of these computers are clearly insecure.

Similar comments apply to many second-level domains that use third-party
slave servers. If your.dom has an NS record of fud.third.dom, you're
trusting not only the real fud.third.dom machine, but all the third.dom
servers. It's better to copy the real IP address to b.ns.your.dom, and
use that in your NS record. This also improves the reliability of the
resolution process:

The only real obstacle is NSI, which currently doesn't allow
registration of multiple names with the same IP address.


This archive was generated by hypermail 2b25 : Mon Jan 24 2000 - 12:43:38 CET