spf-discuss
[Top] [All Lists]

Re: Additional security considerations

2004-07-11 14:24:44
[wayne]
Andrew G. Tereschenko writes:

I would like to note a few more security consideration in addition to
forgery and DDoS (already discussed here).

Always good things to consider

1. How about multi-homed DNS configuration with private and public
records ?
[...]
Information published in a publicly viewable zone file, is, well,
public information.

Read again: "multi-homed DNS configuration with private and public records".

I.e. I case if I will connect to nsa.gov SPF-aware mail server I will be
able to use SPF software as troyan-horse to check their _private_ DNS
configuration.
It's a common configuration to restrict private information based on IP
address of requestor.
In case if SPF server will use internal DNS - bad, bad, bad.

In addition to NSA.gov - think about Microsoft Active Directory.
You have ".local" TLD configured (or for example corp.microsoft.com.
extracted from valid Microsoft email)
Your DNS serve this .local TLD but also cache and forward all others queries
to your ISP.
Now you will configure your Exchange to support SPF and use your local DNS
as SPF datasource. Everybody can start to check arbitrary names in your
".local" domain.
AFAIK, This kind of configuration are common.
Private DNS protected from external access by firewall, but internaly all
private zones accessible.


No, that's not how the exists:  mechanism works.  No DNS request will
be sent to 192.168.0.%{l}.  Only attacker.com's DNS server will be
queried, and it makes no difference whether it returns 192.168.0.xxx
or 127.0.0.2 (the standard DNSBL value).


LOL.
Configure your own LAN with 2 DNS as primary and sub-domain in 192.168.0.xxx
range.
Your current software will query them ;o)

Do you know why 127.0.0.2 IP was used in DNSBL ?
Becouse query (if any) will be answered by local machine ;o)

If you do not see sniper - this does not mean sniper do not see you ;o)

P.S> As for timing attack - in addition to mashine existance it's will be
possible to find round-trip time from/to mail-server (as result network
distance or network load if RTT different based on time of day and date) and
collect complete information about target network architecture and routers.
--
Andriy G. Tereshchenko
TAG Software
Odessa, Ukraine
http://www.24.odessa.ua