The Mysterious DNS Exploit

On Tuesday, July 8th, Microsoft’s usual package of patches seemed to end-users like every other Patch Tuesday — some security updates to various and sundry Windows files to patch security vulnerabilities unknown.  However, it contained something very unusual this time — a design change to DNS.

DNS has been around since the 1970’s, so people don’t expect it to change much.  And this wasn’t an ordinary patch, fixing a bug in the code where it was behaving in an unintended fashion.  In this case, Dan Kaminsky found something potentially extremely serious in the designed behavior of DNS and reported it to all the major DNS vendors.  As a result, it wasn’t just Microsoft that released a patch, but also Apple, Cisco, and the Internet Systems Consortium (makers of BIND, the primary DNS daemon of the UNIX world.)

Dan did this in secret, to prevent people from exploiting the bug.  This led to a lot of skepticism about whether it was a “real” vulnerability, or just Kaminsky (a ubiquitous figure in the security press and an amusing character by anyone’s measure) engaging in self-promotion by pointing out something already well-known.

If the linked blog post seems confusing, what he is implying is that all Kaminsky “found” was the fact that the DNS sequence number, used to match DNS replies with queries, is extremely short, such that if you can send 65,535 spoofed replies to a DNS server before the real server manages to reply, you can poison the cache.  While this is true, and a problem, it’s been known for a decade and is not interesting.  It’s exploitable in another way, too — you could ensure your forged response gets in first by forcing a user to make many queries (e.g. by giving him a web page with tens of thousands of embedded images) with while you spoofed a flood of responses with constant sequence numbers.  If you attached CNAMEs to all of those, and put the images on subdomains of the target (e.g. 1.google.com, 2.google.com, 3.google.com, etc.), you could potentially clobber the DNS record for a top-level domain on the end-user’s server.

The end result of which would be that if a user visits your malicious web site, you change the IP that, say, google.com goes to for everyone using that DNS server.

However, bad as all that sounds, it seems that Kaminsky found something even worse.  All of the skeptics of his discovery who have been let in on the secret have come around to his side, and all the DNS vendors issued a design-change patch.  Among other things, this patch broke ZoneAlarm — everyone running ZoneAlarm found themselves suddenly unable to use the Internet at all.  (At least, so it appeared — my guess is that they were actually just unable to make DNS queries, but to a normal non-tech-savvy user this amounts to a total loss of Internet.)

So, what is this exciting new DNS vulnerability?  Right now, heaven only knows (well, and Dan.)  But Kaminsky has promised to tell us all about it at BlackHat 2008, and I’ll certainly be there to post the results here.  For now… patch your DNS servers.  The only hint we have right now is that source port randomization (one of the mitigations in the DJBDNS secure DNS package) would have stopped it.

attacks, mitigations

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.