Using the Domain Name System for System Break-ins
Steven M. Bellovin
<smb@research.att.com>
AT&at;T Bell Laboratories
Abstract
The DARPA Internet uses the Domain Name System (DNS), a
distributed database, to map host names to network addresses, and
vice-versa. Using a vulnerability first noticed by P.V. Mockapetris,
we demonstrate how the DNS can be abused to subvert system security.
We also show what tools are useful to the attacker. Possible defenses
against this attack, including one implemented by Berkeley in response
to our reports of this problem, are discussed, and the limitations on
their applicability are demonstrated.
Download the full text of this paper in
POSTSCRIPT (162,484 bytes) and
PDF (192,009 bytes) form.
To Become a USENIX Member, please see our
Membership Information.