Tuc at T-B-O-H.NET wrote:
The new one is called "baliwicked_domain" and its described as :
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server specified in the NEWDNS option of this exploit.
All this sounds good and dandy, but I'm not sure the guessing is the problem. Why is a resolver replacing an existing cached entry with a new entry? If the entry changes, at most, the resolver should be removing it from cache. In this regards, the exploit would not only have to hit it once, but twice, and they'd have to manage the exploit *BEFORE* the official server returned it's own authority records for caching. While I agree the source port is a good thing (and reduces poisoning issues even when an authoritative server isn't responding), I question if it can actually succeed at beating the authoritative domain's NS reliably, and if it is overwriting a cache, if the more exploitable issue is the cache overwrite versus staling the entry from cache early and letting the next query request from the authoritative server. I'm just curious. It doesn't make much sense. Jack Bates