netsec-assignment5-S4498062/exercise3/exercise3a


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

We query a non-existing domain which likely isn't in the cache already (that is,
a random string as subdomain). For example, we might query for:

$ dig eWVwLCB0aGlzIGlzIGJhc2U2NC4u.blackboard.ru.nl

Then we race the actual DNS server to provide this response:

    ;; ANSWER SECTION:
    eWVwLCB0aGlzIGlzIGJhc2U2NC4u.blackboard.ru.nl. 120 IN A 10.10.10.10

    ;; AUTHORITY SECTION:
    blackboard.ru.nl.       86400   IN      NS      ourns.blackboard.ru.nl.

    ;; ADDITIONAL SECTION:
    ourns.blackboard.ru.nl. 604800  IN      A       10.10.10.20

Here, 10.10.10.20 would be our address. The cache will now ask stuff about
blackboard.ru.nl to our nameserver which he thinks is at ourns.blackboard.ru.nl.

Thus by simply requesting

$ dig blackboard.ru.nl

and sending back an incorrect A record for blackboard.ru.nl from 10.10.10.20, we
have spoofed the cache.