Question: 2nd Exploit for DNS Cache Poisoning - RELEASED

Thu Jul 24 19:52:40 UTC 2008

Tuc at T-B-O-H.NET wrote:
> 	The new one is called "baliwicked_domain" and its described
> as :
> 
> This exploit attacks a fairly ubiquitous flaw in DNS implementations which 
> Dan Kaminsky found and disclosed ~Jul 2008.  This exploit replaces the target
> domains nameserver entries in a vulnerable DNS cache server. This attack works
> by sending random hostname queries to the target DNS server coupled with spoofed
> replies to those queries from the authoritative nameservers for that domain.
> Eventually, a guessed ID will match, the spoofed packet will get accepted, and
> the nameserver entries for the target domain will be replaced by the server
> specified in the NEWDNS option of this exploit.

All this sounds good and dandy, but I'm not sure the guessing is the problem. 
Why is a resolver replacing an existing cached entry with a new entry? If the 
entry changes, at most, the resolver should be removing it from cache. In this 
regards, the exploit would not only have to hit it once, but twice, and they'd 
have to manage the exploit *BEFORE* the official server returned it's own 
authority records for caching.

While I agree the source port is a good thing (and reduces poisoning issues even 
when an authoritative server isn't responding), I question if it can actually 
succeed at beating the authoritative domain's NS reliably, and if it is 
overwriting a cache, if the more exploitable issue is the cache overwrite versus 
staling the entry from cache early and letting the next query request from the 
authoritative server.

I'm just curious. It doesn't make much sense.

Jack Bates