Mulitple Vendors DNS Spoofing Vulnerability:SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc



Today, Microsoft was just one vendor releasing a patch for its DNS server. The Internet Systems Consortium ( published a very similar patch for its own DNS server, BIND.

InfoSec Handlers Diary Blog - Multiple Vendors DNS Spoofing Vulnerability

The root cause is a fundamental, well known, weakness in the DNS protocol. DNS uses UDP, a stateless protocol. A DNS server will send a request in a single UDP packet, then wait for a response to come back. In order to match request and response, a number of parameters are checked:

  • who sent the response? Was it the DNS server we sent the request to?
  • for this particular response, do we have an outstanding request?
  • each request uses a unique and random query ID. The response has to use the same query ID.
  • The response has to be sent to the same port from which the request was sent.
InfoSec Handlers Diary Blog - Multiple Vendors DNS Spoofing Vulnerability


How bad is it?

If you run a caching DNS server, patch it soon. I wouldn't say "today, while ignoring sane patch management". But check with your vendor and follow their guidance. The world is not going to end today. It will in fact end in 2 1/2 years from today (different story ;-) ). But this is something you have to fix soon. Right now, the US-CERT advisory lists about 80 vulnerably products.
Eventually we all may have to break down and fix DNS. DNSSEC is an extension to DNS asking for cryptographic authentication. However, it requires a PKI infrastructure which at this point doesn't exist. There is not much to be gained from implementing DNSSEC on your own (but by all means: try it out and see how it works).

InfoSec Handlers Diary Blog - Multiple Vendors DNS Spoofing Vulnerability


Increasing the entropy makes it more difficult for attackers to spoof DNS replies. Today, we released MS08-037 to further increase the difficulty of spoofing DNS transactions. We modified the DNS client and server resolvers to send requests from a random source port. Previously, an attacker would need to only guess the correct transaction ID. After applying MS08-037, an attacker will need to guess both the transaction ID and source port in order to successfully spoof a DNS reply. In short, randomized source ports for DNS transactions adds another unique piece of information to DNS transactions, which makes spoofing more difficult.