Posted by: Greg Ness | July 22, 2008


There are about 11 million servers using the Internets Domain Name System (DNS) to coordinate traffic across the Internet to their proper destinations.  About 6 months ago Dan Kaminsky, Director of penetration testing at IOActive, discovered a way to exploit long-known DNS vulnerabilities to easily implement cache poisoning attacks   that can compromise the integrity of the Internet.  A few highlights from Computerworld’s coverage of the DNS flaw follow:


“DNS servers are responsible for routing all Internet traffic to their correct destinations. The so-called cache-poisoning vulnerability that Kaminsky discovered could allow attackers to redirect Web traffic and e-mails to systems under their control, according security researchers. The flaw exists at the DNS protocol level and affects numerous products from multiple vendors.”

Jaikumar Vijayan, Computerworld, July 17


Word of the DNS flaw was made public earlier this month thanks to a collaborative update from the likes of Cisco and Microsoft.  Details were withheld in order to give administrators time to patch their systems. 


The flaw would allow hackers to launch unlimited queries against DNS servers without being detected, allowing them to run simple random number guesses to collect transaction IDs and other critical information that could be used to redirect web traffic to spoof sites.  These kinds of attacks can be successful, and in turn, detrimental to an organization’s web presence, in mere seconds.


According to Kaminsky, a weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. DNS messages include what are supposed to be random identification numbers, but the problem, according to Kaminsky, is that only about 65,000 different values are currently being used as identifiers. And in reality, the process of assigning the identifiers to packets isn’t especially random and can be guessed, he said.

Jaikumar Vijayan, Computerworld, July 17


While some have speculated whether or not the vulnerability is old news, Mike Fratto had recently delivered a stern warning to patch all DNS servers in his InformationWeek blog: 


Since the CERT announcement yesterday about the new vulnerabilities in DNS, there has been a lot of speculation that what Dan Kaminsky found is old news. Thomas Ptacek from Matasano, in an interview with Nathan McFeters at ZDNet, pretty much dismisses the vulnerability as old news and therefore unimportant. That sentiment is echoed on mailing lists and message boards. But in an e-mail today, Kaminsky confirmed that what he found is something very new. I believe him. Forget the arguments. Go patch your DNS servers. Now.

 Mike Fratto, InformationWeek, July 9

Making matters worse, a slip-up between security researchers discussing the cache poisoning attack via blog exchanges has inadvertently released details of how to launch an exploit in  the wild, making it only a matter of time before real attacks appear.


Here is the coverage from ZDnet yesterday afternoon: Has Halvar figured out super-secret DNS vulnerability?


Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a reliable method to forge and poison DNS lookups.

Ryan Naraine, ZDnet, July 21


You can expect to read much more about this in the coming days, if not hours.


You can find out even more from this recent webinar hosted by Dan Kaminsky and Infoblox VP of Architecture Cricket Liu: DNS Security: Old Vulnerabilities, New Exploits.  It is sponsored by Infoblox, and is perhaps one of the most current and informative recorded events on the topic.  You can also read more at Kaminsky to discuss DNS flaw at Black Hat sponsored webcast.




For more background, you can read the following articles: Who is Really at Risk From the DNS Flaw? Is DNSSEC the Answer to Internet Security?


InformationWeek blog: Stop Arguing and Patch your DNS


Computerworld: DNS flaw discoverer says more permanent fixes will be needed


You can read my disclosure at: About Archimedius .




  1. […] basically spell it out. The exploit is known, and it can be performed in less than 10 seconds. More here. Patch now! Hello There! Thank you for visiting my site. This is the professional blog of Eric […]

  2. […] The crazy exploit targeting a widely acknowledged vulnerability in about more than 11 million DNS servers. These servers are critical to the security of the Internet, as I mentioned yesterday at: DNS VULNERABILITY NOW IN THE WILD. […]

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: