Is This Another Specious DNS Vulnerability?

Kevin Darcy kcd at chrysler.com
Fri Jul 11 23:23:54 UTC 2008


Merton Campbell Crockett wrote:
> For the last few days there have alarums raised over Dan Kaminsky's  
> DNS findings, new releases of BIND, and patches to Microsoft DNS  
> Service released.  Is this another "cache snooping" style DNS  
> vulnerability that has no significance when multiple instances of BIND  
> are used at one's security perimeter?
>
> Roughly 15 years ago, I developed, what I thought was, a unique way of  
> using BIND for my company's customers.  I'm sure that others may have  
> come up with the same solution.  Is there some place where I can find  
> the actual details of the problem that would allow me to analyze the  
> threat to my company's customers?
>
>   
I'm not sure exactly what you mean by "cache snooping". This latest 
attack consists of forging responses to recursive queries. At least, 
that's seems to be the case, from what has been disclosed so far.

As for the *details*, they have been kept under tight wraps while people 
are deploying the patched versions of nameservers, and will be presented 
on August 6.

In the meantime, various tools have been developed to test for this 
vulnerability. Two that I know of are the OARC tool ("dig +short 
porttest.dns-oarc.net TXT @localhost" from the command line), or the 
web-based tool on the www.doxpara.com home page.

- Kevin





More information about the bind-users mailing list