Multiple DNS implementations vulnerable to cache poisoning

Steven M. Bellovin smb at
Wed Jul 9 15:41:43 UTC 2008

On Tue, 8 Jul 2008 13:48:57 -0700
"Buhrmaster, Gary" <gtb at> wrote:

> Multiple DNS implementations vulnerable to cache poisoning:
> (A widely coordinated vendor announcement.  As always,
> check with your vendor(s) for patch status.)
It's worth noting that the basic idea of the attack isn't new.  Paul
Vixie described it in 1995 at the Usenix Security Conference
-- in a section titled "What We Cannot Fix", he wrote:

	With only 16 bits worth of query ID and 16 bits worth of UDP
	port number, it's hard not to be predictable.  A determined
	attacker can try all the numbers in a very short time and can
	use patterns derived from examination of the freely available
	BIND code. Even if we had a white noise generator to help
	randomize our numbers, it's just too easy to try them all.

The ISC web page on the attack notes "DNSSEC is the only definitive
solution for this issue. Understanding that immediate DNSSEC deployment
is not a realistic expectation..."  I wonder what NANOG folk can do
about the second part of that quote...

		--Steve Bellovin,

More information about the NANOG mailing list