researchtoolssurveys DNSFactory

DNS SURVEY: CACHE POISONERS

About

We used to have ongoing, periodic surveys that look for DNS cache poisoners. A nameserver may be able to poison vulnerable DNS caches by returning bad (incorrect) referrals for important domains. If a local caching resolver trusts the bad referral, future queries for the affected domain are sent to the wrong nameserver, which may refuse to answer the queries or provide incorrect answers.

DNS resolvers for Microsoft Windows NT, 2000, and 2003 are vulnerable to cache poisoning. Windows 2003 is not vulnerable by default, but may become vulnerable if the administrator unchecks the "prevent cache poisoning" option.

Methodology

We start with a large list of domain names and follow the hierarchy of referrals for each one. For each input name, we find the list of nameservers that are authoritative for it. Then, we send a query to each authoritative nameserver.

We compare the NS RR set in each authoritative reply to the previously-learned referrals for the parent zones. If the authority records in the authoritative responses do not match the previous delegations, we say that the nameserver is a source of DNS cache poisoning.

Results

No surveys have been executed since September 2007. Rather than continue to publish stale information, we've decided to remove the survey data from this site. Please contact us via email if you have any questions about the DNS poisoner survey.

© 2014 The Measurement Factory.