Exploit for DNS Cache Poisoning - RELEASED

Sean Donelan sean at donelan.com
Thu Jul 24 09:32:19 CDT 2008


On Thu, 24 Jul 2008, Paul Ferguson wrote:
>>> Let's hope some very large service providers get their act together
>>> real soon now.
>>
>> There is always a tension between discovery, changing, testing and
> finally deployment.
>>
>
> Sure, I can empathize, to a certain extent. But this issue has
> been known for 2+ weeks now.
>
> Not sure I can be very empathic now, given the seriousness, and the
> proper warning ISPs have been given.

Also recognize some of the simple testing tools get a bit confused
by some of the more complex DNS configurations used by the mega-ISP
DNS clusters; and generate false positives (and maybe even false
negative) results. You can see it happens when the testing tool
reports widely different number of queries checked.

Several of the ISPs with complex DNS clusters are patching and upgrading
them; however the current state of some of the patches wouldn't support
the query load those providers normally experience.  So they've been
working on alternative mitigation strategies.  However, its difficult
to now if the alternative strategies actually mitigate the actual threat
without knowing the actual threat.

And finally, there probably are some providers who haven't made plans to
change their DNS.  Unfortunately, the testing tools can't read minds 
(yet), so its difficult to know which ISPs are in this category.





More information about the NANOG mailing list