DNS spoofing vulnerability

Chris Buxton cbuxton at menandmice.com
Sun Jul 13 00:57:11 PDT 2008

On Jul 12, 2008, at 10:37 AM, marty wrote:
>> I assume most of you have heard about the recent BIND/MS DNS updates
>> to somewhat address a new DNS spoofing attack vector discovered by  
>> Dan
>> Kaminsky.
> This is NOT a new vulnerability. Kaminsky just got wise recently.
> Bernstein made it public many years ago. Others have written about  
> it too.
> Djbns and PowerDNS were never affected because those authors knew  
> about this
> from the start. Why the big noise now?

No, Marty, you're understandably mistaken. I thought the exact same  
thing, as did a lot of smart people whose opinions I trust (e.g. Paul  
Vixie of ISC, maintainers of BIND). Then Kaminsky put Vixie under NDA  
and showed it to him. Now Vixie says it's not the same thing we've  
always known about.

Alan Clegg (also of ISC) gave me a little bit of a talking-to after I  
said much the same as you did above.

I said on BIND Users:
>> However, that said, this attack is not new. The weakness addressed by
>> this latest patch is not some new revelation - it's something we in
>> the community have known about for years. It's just that Dan Kaminsky
>> is presenting a paper next month at Black Hat telling the world how  
>> to
>> exploit it.

And Alan Clegg said to me privately:
> I was with you until you said this.  The attack is old, but the attack
> vector is new.  It's deadly.  If you stay on the same port for more  
> than
> a few seconds (maybe around 5?) you are open to poisoning.
> Everyone MUST randomize source ports.  The rumor mill has it that a
> white-hat has re-discovered the vector that Kaminsky found, so the
> blacks are, I'm sure, not behind (if not ahead already).
> Please, don't tell people that this is the "same old" because it's  
> much,
> much worse.

djbdns and PowerDNS are not vulnerable to this new attack vector  
because they don't hold open an outbound source port for queries. BIND  
did until this latest update, and Microsoft DNS did until their update.

The QA manager for CentOS, a friend of mine, told me that glibc is  
also vulnerable. I'm not sure how vulnerable, but I do know that  
Microsoft patched their stub resolver at the same time as their DNS  
server. (glibc contains a stub resolver based on the BIND source code  
+ Sun's nscd.)

Clegg also sent me to this page:


He also passed along some private, internal ISC communications that  
I'm not at liberty to disclose. I can, however, tell you that it  
scared me. I suspect DNSSEC will now be rolled out pronto across a  
much larger segment of the Internet. Stub resolvers may see some TSIG  
and/or GSS-TSIG support coming soon as well.

Chris Buxton
Professional Services
Men & Mice

More information about the hlfs-dev mailing list