The last few days(actually almost a month now) have been very exciting in the relatively
“boring” world of DNS. In that world nothing much changes…DNS has been around for
quite a while now and it has always helped us translate friendly names into long and daunting
numbers (IP addresses).
It did so in a reliable and predicable manner. Yet that soothing effect of predictability seems
to have gotten it into trouble. According to security researcher Dan Kaminsky, a vulnerability
exists in the NDS implementation itself (affecting all vendors) that allows cache poisoning
(in other words, an incorrect IP address will be inserted into a DNS servers cache for a well
known website [e.g. your bank]).
Dan turned over the details to multiple vendors and worked with them to patch their systems.
He also decided to keep the details of this vulnerability confidential until his session at the Black
Hat security conference in Las Vegas (this seems to have failed, the details have leaked to the
Internet and discussion around his request to keep it quiet rages on).
In addition to that it seems that now there is an actual working exploit out there…
I won’t go into too much technical detail regarding this vulnerability (partly due to the fact that
I am not fully familiar with it), yet it seems that it has to do with the predictability of the
queries and replies being exchanged between servers and clients and servers.
Microsoft has release a patch for this vulnerability at:
Note that the patch changes the behavior of DNS server(specifically which ports they use), and
this may confuse some firewall software.
CERT have published an article at: