[ On Thursday, July 4, 2002 at 18:42:21 (+0100), David Laight wrote: ]
> Subject: Re: automatic login
>
> > DNS spoofing requires either: a) the resolver for server to be
> > mis-configured or to be buggy; and/or b) the DNS zones for the clients
> > to be hosted on an insecure server.
> 
> Or you to send the client a response BEFORE the real one arrives.

"a _valid_ response" is required by my resolvers, I believe....  (not
entirely tricky, but harder than it would appear on first glance, and
requires some sniffing of the requests or brute-force DNS sequence
number guessing)

You'll have a hard time doing that too since the authoritative server is
actually on the local host and you hopefully can't spoof IP packets to it....  :-)

(and if it were some other machine on the internal network I'd hopefully
have a host-based firewall on the server to prevent spoofed DNS replies
from any outside network -- though I'm not quite that careful in those
particular scenarios, yet.... ;-)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>