[Pdns-users] pdns_recursors trusts addtional section where it better shouldn't
Thomas Mieslinger
miesi at india.com
Fri Feb 17 13:15:52 UTC 2017
On 17.02.17 13:56, Brian Candler wrote:
> On 17/02/2017 12:53, Thomas Mieslinger wrote:
>> With crafted glue in the tld zone and mailrelays using pdns_recursor
>> you could redirect mail traffic.
>>
> If you have the ability to craft glue in the tld zone, surely you could
> also just change the delegation outright??
No, the idea is to create a new domain with malicious glue and then send
emails over the MXes to infiltrate. The MXes will do lookups, which
trigger the pdns_recursor cache poisoning.
My employers customers called in because they couldn't send emails to
ovh MXes. If the broken domains would have been malicious and glue ips
with port 25 open, the MXes would have delivered the emails to them.
So do registries accept something like "mx00.t-online.de A
64.233.187.26" as hostobject for a NS of a domain?
In the case of .com/.net I have the feeling they accept all kind of
bullshit (see first mail of this thread)
Cheers
More information about the Pdns-users
mailing list