1. DNS/KnotResolver/CNAMEpoison
I am talking about poisoned response that has a answer section which contains CNAME records.
I shall not explain how we send poisoned packet to the target resolver.
$ dig +short -t a xxx.qmail.jp @a.ns.qmail.jp 14.192.44.29
Then send this query. (Answer is the presumed poison!)
$ dig -t mx xxx.qmail.jp @a.ns.qmail.jp
confirm CNAME record
$ dig -t cname xxx.qmail.jp @a.ns.qmail.jp
2. defense
If the response is a fake, it is of no use to requery CNAME value(canonical name).
So when you find CNAME in answer section: then;
- check cached record which has same owner name (any kind of type) does not exist
- check negative cache too
-- ToshinoriMaeno 2016-07-19 07:02:50