CNAME值的DNS挟持问题

如果BIND的zone里有a.com和b.com两个域,BIND是a.com的权威服务器,但不是b.com的。用户设置www.a.com这个记录CNAME到www.b.com。在客户端查询www.a.com时,BIND会返回www.a.com和www.b.com的权威应答,显然www.b.com是DNS挟持。那么客户端如何应对?

这个问题我在BIND邮件列表里询问如下:

If BIND is authoritative for zone a, and is not authoritative for zone b, but zone b is configured in BIND’s zone file, and x.zonea.com is CNAME’d to y.zoneb.com.

When DNS client queries to this BIND for x.zonea.com, it gets the authoritative answers for both x.zonea.com and y.zoneb.com, certainly y.zoneb.com is a fake one.

How DNS client handle this case?

来自ISC的Mark回答如下:

It depends on the client and whether the zones are signed or not
and whether the client is validating responses or not.

Stub clients will almost always trust the complete answer.
For iterative clients it depends on their level of paranoia.

named is paranoid. It discards the rest of the response after processing
the CNAME.

如果客户端解析器是BIND,它在处理CNAME时,简单的丢弃掉CNAME值的剩余部分,重新解析CNAME的目的值,从而避免上述问题。

转自http://www.nsbeta.info/archives/294

8 Comments
  1. 。。。。看了技术文 我瞬间就Blind了

    1. 额,我觉得我一直都是blind,嘿嘿

      1. 哈哈你这是玩自己建dns么
        我觉得dns branding对我来说就足够了

        1. 呵呵,我确实想学学怎么建立,好像相当复杂,还需要有两个公网的IP,你有试过吗?

          1. 我没试过 有好多这样的教程 我真是懒得折腾

            1. 那些教程都不怎么管用,只能是大约参考下,其实主要是设备还要准备,2台机器呢,汗啊。

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.