Sunday, October 05, 2008

Bailiwick in DNS requests

So a month or two ago Dan Kaminsky discovered one of the most severe flaws from the last recent years, perhaps even since the internet boom.
With the flaw, hackers can redirect internet traffic by answering maliciously to your DNS requests.
Dan has written a nice article on his blog.
More details and patches you can find on the Microsoft sites.

Since I realised I knew nothing about how this exploit actually functioned, I read up on it last week, in a spare minute and came across something I never heard of before: bailiwick.

So I decided to spend a little more time on this and did some research on the "bailiwick" thing.
This is what I found out:

There are two important precepts to remember about content DNS server bailiwick:

1. Bailiwick is in the eye of the beholder.
Bailiwick is not inherent in the content DNS servers themselves. Content DNS servers don't know anything about their bailiwicks. The bailiwick of a content DNS server cannot be obtained from the server itself. The DNS protocol does not provide it with any way of knowing who issues the referrals that cause resolving proxy DNS servers to come to it, or what those referrals are.

It is only the resolving proxy DNS servers following that referral that know what the referrals are. It is the resolving proxy DNS servers that track the bailiwicks of the content DNS servers that they send queries to, and apply them as they process the responses.

2. Bailiwick applies only fleetingly, and multiple bailiwicks can apply to a single content DNS server.
The bailiwick of a content DNS server applies only to the query resolution at hand. A content DNS server can have many bailiwicks because it is referred to for information on names in several different domains. If multiple queries are being resolved for names in these different domains, it can indeed have those bailiwicks simultaneously.

For example: If the content DNS servers listening on IP addresses 207.228.252.101 and 209.81.71.60 serve up information on names in both the "scitechsoft.com." and the "openwatcom.com." domains, because they are owned by people who own both of those domains, then they will have the bailiwick "scitechsoft.com." when the "com." servers refer resolving proxy DNS servers to them for information on names in "scitechsoft.com.", and the bailiwick "openwatcom.com." when the "com." servers refer resolving proxy DNS servers to them for information on names in "openwatcom.com.".
For another example: The Verisign/Network Solutions content DNS servers serve up information on names in "com." and "net.". Their bailiwick is "com." or "net.", depending from the query being resolved at the time, and hence from what domain the "." content DNS servers actually issued the referral pointing at them in the first place.


The complete article on it, you can find here.

Very interesting stuff, if I can say so myself ... :)

2 comments:

Anonymous said...

Hello, as you may already found I am newbie here.
Hope to get any help from you if I will have any quesitons.
Thanks and good luck everyone! ;)

Anonymous said...

Hello,nice post thanks for sharing?. I just joined and I am going to catch up by reading for a while. I hope I can join in soon.