On Wed, 23 Jul 2008, Kevin Day wrote: > > The new way is slightly more sneaky. You get the victim to try to > resolve an otherwise invalid and uncached hostname like 00001.gmail.com, > and try to beat the real response with spoofed replies. Except this time > your reply comes with an additional record containing the IP for > www.gmail.com to the one you want to redirect it to. If you win the race > and the victim accepts your spoof for 00001.gmail.com, it will also > accept (and overwrite any cached value) for your additional record for > www.gmail.com as well.
RFC 2181 says the resolver should not overwrite authoritative data with additional data in this manner. I believe the Matasano description is wrong. Tony. -- f.anthony.n.finch <[EMAIL PROTECTED]> http://dotat.at/ FORTIES CROMARTY FORTH TYNE DOGGER: EAST OR SOUTHEAST 3 OR 4, INCREASING 5 OR 6 LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.
