While reading section 10 from unified 3-protocol.txt I've found that there
such a short security considerations section.
I would like to note a few more security consideration in addition to
forgery and DDoS (already discussed here).
1. How about multi-homed DNS configuration with private and public records ?
Using following record in "attacker.com" DNS zone
spfv1 IN TXT "v=spf1 exists:%{l}.nsa.gov -all"
We will be able to connect to any SPF aware servers and scan "nsa.gov" for
names ;o)
How ?
"MAIL FROM: www(_at_)attacker(_dot_)com" will result in www.nsa.gov address
existance
checked.
"MAIL FROM: router1(_dot_)sigint(_dot_)ny(_at_)attacker(_dot_)com" will result
in
router1.sigint.ny.nsa.gov address existance checked.
2. How about online mashine online/firewall status scanning based on
responce timing ?
Using following record in "attacker.com" DNS zone:
spfv1 IN TXT "v=spf1 exists:check.%{l}.attacker.com -all"
DNS zone in attacker.com delegating subdomains to 192.168.0.{%l}
This will result in DNS request packets sent to internal network.
Based on firewall/online status such a DNS requests will be denied fast or
timed out.
How ?
"MAIL FROM: 10(_at_)attacker(_dot_)com" will result in DNS query for
"check.10.attacker.com" name.
Query to attacker.com DNS server will be answered that 10.atacker.com zone
servered by single 192.168.0.10 DNS server.
SPF application will contact port 53 on 192.168.0.10 machine.
In case if 192.168.0.10 is offline or firewalled to drop unknown packets
this query will be timed-out, but if it's online and not firewalled - query
will fail faster.
Any ideas how we can prevent/workaround this ?
How about limitations on "exists" names ?
--
Andriy G. Tereshchenko
TAG Software
Odessa, Ukraine
http://www.24.odessa.ua