Exploit for DNS Cache Poisoning - RELEASED

Before, if you wanted to poison a cache for www.gmail.com, you get the
victim name server to try to look up www.gmail.com and spoof flood the
server trying to beat the real reply by guessing the correct ID. if
you fail, you may need to wait for the victim name server to expire
the cache before trying again.

That's why that crummy technique isn't used.

The new way is slightly more sneaky. You get the victim to try to
resolve an otherwise invalid and uncached hostname like
00001.gmail.com, and try to beat the real response with spoofed

That's the normal technique, as far as I was aware.

Except this time your reply comes with an additional record
containing the IP for www.gmail.com to the one you want to redirect it

Thought that was the normal technique for cache poisoning. I'm pretty
sure that at some point, code was added to BIND to actually implement
this whole bailiwick system, rather than just accepting arbitrary out-
of-scope data, which it ... used to do (sigh, hi BIND4).

If you win the race and the victim accepts your spoof for
00001.gmail.com, it will also accept (and overwrite any cached value)
for your additional record for www.gmail.com as well. If you don't win
the race, you try again with 00002.gmail.com, and keep going until you
finally win one. By making up uncached hostnames, you get as many
tries as you want in winning the race.

Right. To the best of my knowledge, that's neither a new nor a clever
technique for generating additional DNS request transactions.

By tacking on an additional
reply record to your response packet you can poison the cache for
anything the victim believes your name server should be authoritative

And that's one standard form of poisoning.

Cache poisoning and sending extra data is an interesting topic. I have
to admit that my experience with it is somewhat dated, and a lot of it is
as much as a decade out of date, when I was writing miniature authoritative
name servers for application load balancing purposes. I did in fact do
a number of experiments against various implementations to see what sins I
could get away with, and I have to say, the protocol is remarkable in that
so many broken-seeming things that I deliberately inflicted while playing
around can be worked out by server implementations. But, then again, the
beauty of DNS is that it hasn't really changed much over time ...

This means DNS cache poisoning is possible even on very busy servers
that normally you wouldn't be able to predict when it was going expire
its cache, and if you fail the first time you can keep trying again
and again until you succeed with no wait.

This is disappointing, because Vixie specifically stated that this was a
new attack, and I'm pretty sure he said it was one where the exploit could
not be determined merely by knowing the sort of change that was being made
to BIND.

Well, the change that was made to BIND was to randomize source ports,
which indicated it was a forged-response attack of some kind.

Knowing that there were further statements about the weakness of the PRNG
for the QID suggested that it was susceptible to a brute-force attack.

I guess there's a vague hint of novelty in it all if you want to be a tad
more clever about what you're corrupting. I can think of a few examples,
which I will respectfully not discuss, just in case someone hasn't thought
of them, but basically it seems to me that this is neither a new nor a
novel attack.

So I'm not super impressed. Do I see the need for the patch? Yes. Do I
see the need to lie about the nature of the problem? I guess, but this is
not any more of a problem today than it was a year (or ten!) ago, except
maybe now someone is threatening to finally do something that might cause
DNSSEC to get deployed, which seems like it would have been a better way
to scare people, IMHO.

I think a bunch of us saw the problem with spoofed DNS years ago, and I'm
pretty sure a bunch of DNSSEC people have been predicting exactly this
state of affairs for quite some time, and knowledge of the general problem
predates even that.

... JG


I think that's the beauty of this attack: the data ISN'T out of scope.
The resolver is expecting to receive one or more answers to
00001.gmail.com, one or more authority records (gmail.com NS
www.gmail.com) and additional records providing addresses for the
authority records (www.gmail.com A

Bill Herrin