08 August 2008, 11:12

Kaminsky reveals final details of DNS vulnerability

Dan Kaminsky in his Black Hat lecture has revealed the final details of the vulnerability in the Domain Name System that he originally discovered. In addition to an attack on a CNAME record, it appears possible to provide a querying name server with false information that can then be used to query other name servers. This means that manipulation is not limited to a single address entry in the cache, and that all other queries may be forwarded to the name server of an attacker.

The attacker could take advantage of the fact that a recursive DNS server is sent from one name server to the next until it finally finds the name server responsible for the domain. This provides the attacker with multiple opportunities to send spoof packets to the victim's server. It should even be possible to attack the name servers of top-level domains in this way. The first pointer to this alternative type of attack was in H.D. Moore's exploit. This could also explain the varying times given by different security specialists for a successful cache poisoning attack. While some specialists have put the time in minutes, Kaminsky has repeatedly stated that his attack took only a few seconds.

In his 104-page lecture, Kaminsky explains how the DNS problem affects different services, such as email, SIP, and others. He also provides information on the successful patching carried out by the companies involved, at least in North America. Kaminski says that 70 per cent of Fortune 500 companies have successfully installed the patches on their mail servers, although 15 per cent are still having problems with NAT devices, due to the increased randomness of source ports used for DNS queries, working close to their limits and reducing the effectiveness of the patch. The proportion of patches completed on other server systems is thought to be 61 per cent, with some 22 per cent experiencing NAT/PAT problems.

See also: