From: Jethro Tull [jethro@DQC.ORG] Sent: Saturday, August 28, 1999 11:09 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Dynamic DNS The following is taken directly from RFC2136. (http://www.isi.edu/in-notes/rfc2136.txt) -- 8.1. In the absence of [RFC2137] or equivalent technology, the protocol described by this document makes it possible for anyone who can reach an authoritative name server to alter the contents of any zones on that server. This is a serious increase in vulnerability from the current technology. Therefore it is very strongly recommended that the protocols described in this document not be used without [RFC2137] or other equivalently strong security measures, e.g. IPsec. 8.2. A denial of service attack can be launched by flooding an update forwarder with TCP sessions containing updates that the primary master server will ultimately refuse due to permission problems. This arises due to the requirement that an update forwarder receiving a request via TCP use a synchronous TCP session for its forwarding operation. The connection management mechanisms of [RFC1035 4.2.2] are sufficient to prevent large scale damage from such an attack, but not to prevent some queries from going unanswered during the attack. -- All Dynamic DNS services that I know of are vulnerable . I am not going to include code, but it is a trivial task to spoof a packet (UDP or TCP) with RR data in the format this RFC specifies. In other words, anyone can manipulate RR records by sending bogus data because the only authentication is IP. That is all I have to say about that. jethro "If I had of only known, I would have been a locksmith" - Albert Einstein