For those of you that aren't aware, Dan Kaminsky with IOActive recently coordinated a massive multi-vendor update to several DNS server applications, including ISCs BIND which powers the vast majority of DNS servers in the world. Details are not available on the vulnerability yet, but it is being described as a fundamental flaw in the DNS architecture itself (a design flaw, he has said).
The patches released by multiple vendors last week is an attempt to mitigate the vulnerability and make it harder to exploit, it does not fix the underlying flaw which has not yet been published. These patches are almost exclusively aimed at ensuring DNS servers use a random source port for every query they send out; most, including BIND, simply picked a random port on startup and use that as the source port for all of their queries.
This makes a DNS server much more more susceptible to DNS hijacking and thus cache poisoning.
Hijacking is the act of sending a forged response to a query that reaches the server before the legitimate answer gets there. If the source IP and query ID match, and the spoofed answer is sent to the right port, there is no mechanism (outside of DNSSEC which is not widely deployed) to determine if the answer is authentic or not.
Cache poisoning uses hijacking to inject additional records into the victim's DNS server; rather than attempt to explain the differences, I will illustrate them at the end of this post.
It appears then that DNS hijacking, while not the vulnerability that Kaminsky has discovered (hijacking and cache poisoning are old news), is a required step in exploiting the vulnerability. If you are resistant to hijacking, you are by definition resistant to cache poisoning and the new as-yet-undisclosed design flaw.
I want to stress that this is an
entirely new flaw. Pretty much everyone was skeptical about it at first, and many people grew (and are growing) more irritated by the second that the vulnerability has not yet been disclosed. Some people have even suggested that Kaminsky simply "discovered" cache poisoning all over again in an attempt to get his name up in lights.
This is not the case. Paul Vixie (Author of the BIND nameserver), Cricket Liu (Author of DNS & BIND), Paul Mockapetris (Inventor of DNS), and others have been clued in to the vulnerability in detail by Kaminsky. They are all well respected authorities on DNS and in the security field, and would not simply throw away their reputations crying wolf over nothing. It also takes more than a single lunatic screaming about TEOTWAWKI to get Microsoft, ISC, Cisco, and other big name vendors to sit down in a room skeptics and walk out committed to releasing the same patch, for the same issue, on the same day.
Details are to be released in a few weeks at the Blackhat conference in Las Vegas, so if you haven't patched already, make sure you do before then. Once the vulnerability is disclosed, expect an escalation in attacks from script kiddies shortly thereafter.
You can use free tools provided by
DNSstuff,
Doxpara (Dan Kaminsky), or
DNS OARC to check if the DNS server your system is currently configured to use has been patched or not.
If anyone has any questions about the vulnerability or how the tests work, how to use them, or the vulnerability, go ahead and ask away. I'll answer as much as I can.
Vulnerability notice from US-CERT:
www.kb.cert.org/vuls/id/800113