With negative caching it might be possible to propagate a denial of
service attack by spreading a NXDOMAIN message with a very high TTL.
Without negative caching that would be much harder. A similar effect
could be achieved previously by spreading a bad A record, so that the
server could not be reached - which is almost the same. It has the
same effect as far as what the end user is able to do, but with a
different psychological effect. With the bad A, I feel "damn the
network is broken again" and try again tomorrow. With the "NXDOMAIN"
I feel "Oh, they've turned off the server and it doesn't exist any
more" and probably never bother trying this server again.
ネガティブキャッシングがあると、
非常に大きい TTL の NXDOMAINメッセージを広めることで、
サービス拒否攻撃を伝播させる可能性がある。
ネガティブキャッシングが無かったらずっと難しかっただろう。
以前は嘘の A レコードを広めることにより、サーバにアクセス出来なくするという
同様の効果が達成できた。これは DoS 攻撃とほぼ同じことである。
エンドユーザにできることとしては同じ効果を持つが、心理的効果は異なる。
悪意の A レコードなら、「ネットワークがまた壊れているぞ」と感じ、
次の日に試みるだろう。
"NXDOMAIN"だと、「あー、サーバを停止してしまったようだ。
もうなくなったんだ。」と感じ、
恐らく二度とこのサーバーを使おうとしないだろう。
A practical example of this is a SMTP server where this behaviour is
encoded. With a NXDOMAIN attack the mail message would bounce
immediately, where as with a bad A attack the mail would be queued
and could potentially get through after the attack was suspended.
これの実際的な例がこの動作をするSMTPサーバである。
NXDOMAIN 攻撃の場合、メイルメッセージはただちにバウンスする。
嘘の A レコード攻撃ではメイルは待ち行列に入れられ、
攻撃が止った後で、配送される可能性がある。
For such an attack to be successful, the NXDOMAIN indiction must be
injected into a parent server (or a busy caching resolver). One way
this might be done by the use of a CNAME which results in the parent
server querying an attackers server. Resolvers that wish to prevent
such attacks can query again the final QNAME ignoring any NS data in
the query responses it has received for this query.
このような攻撃が成功するためには、
NXDOMAIN (告訴)が親サーバ(または高負荷のキャッシングリゾルバ)
に注入されなくてはならない。。
親サーバが攻撃者のサーバに問合せる結果になるような
CNAMEを使うことで、こうやれる可能性がある。
こういう攻撃をさせたくないリゾルバはこの問合せに対して受けとった
返答中の すべての NS データを無視して
最終の QNAME について改めて問合せることができる。
Implementing TTL sanity checking will reduce the effectiveness of
such an attack, because a successful attack would require re-
injection of the bogus data at more frequent intervals.
TTL の正しさの検査を実装すると、この種の攻撃の有効性を減らせる。
攻撃が成功するにはより頻繁な間隔でのにせのデータの再注入が必要だから。
DNS Security [RFC2065] provides a mechanism to verify whether a
negative response is valid or not, through the use of NXT and SIG
records. This document supports the use of that mechanism by
promoting the transmission of the relevant security records even in a
non security aware server.
DNS セキュリティ[RFC2065]は NXT と SIGレコードの使用を通して、
否定返答が正当であるかを検証する機構を提供する。
セキュリティに関心のないサーバにも適切なセキュリティレコードの
交信を奨励することでこの文書は上記の機構の使用をサポートする。
[RFC1034]
Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES,"
STD 13, RFC 1034, November 1987.
[RFC1035]
Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND
SPECIFICATION," STD 13, RFC 1035, November 1987.
[RFC2065]
Eastlake, D., and C. Kaufman, "Domain Name System Security
Extensions," RFC 2065, January 1997.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels," BCP 14, RFC 2119, March 1997.
[RFC2181]
Elz, R., and R. Bush, "Clarifications to the DNS
Specification," RFC 2181, July 1997.
Author's Address
Mark Andrews
CSIRO - Mathematical and Information Sciences
Locked Bag 17
North Ryde NSW 2113
AUSTRALIA
Phone: +61 2 9325 3148
EMail: Mark.Andrews@cmis.csiro.au
Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.