Question: 2nd Exploit for DNS Cache Poisoning - RELEASED
Jack Bates
jbates at brightok.net
Thu Jul 24 19:52:40 UTC 2008
Tuc at T-B-O-H.NET wrote:
> The new one is called "baliwicked_domain" and its described
> as :
>
> This exploit attacks a fairly ubiquitous flaw in DNS implementations which
> Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target
> domains nameserver entries in a vulnerable DNS cache server. This attack works
> by sending random hostname queries to the target DNS server coupled with spoofed
> replies to those queries from the authoritative nameservers for that domain.
> Eventually, a guessed ID will match, the spoofed packet will get accepted, and
> the nameserver entries for the target domain will be replaced by the server
> specified in the NEWDNS option of this exploit.
All this sounds good and dandy, but I'm not sure the guessing is the problem.
Why is a resolver replacing an existing cached entry with a new entry? If the
entry changes, at most, the resolver should be removing it from cache. In this
regards, the exploit would not only have to hit it once, but twice, and they'd
have to manage the exploit *BEFORE* the official server returned it's own
authority records for caching.
While I agree the source port is a good thing (and reduces poisoning issues even
when an authoritative server isn't responding), I question if it can actually
succeed at beating the authoritative domain's NS reliably, and if it is
overwriting a cache, if the more exploitable issue is the cache overwrite versus
staling the entry from cache early and letting the next query request from the
authoritative server.
I'm just curious. It doesn't make much sense.
Jack Bates
More information about the NANOG
mailing list